request #47578 Block "exotic" npm subdeps and prevent trust downgrade during upgrade

Infos

Artifact ID#47578

Submitted byThomas Gerbet (tgerbet)

Last Modified On2026-04-09 11:11

Submitted on2026-04-08 17:14

Rank49305

Details

Summary *

Block "exotic" npm subdeps and prevent trust downgrade during upgrade

Original Submission

These are 2 recent options of pnpm that can help against certain classes of supply chain compromise.

https://pnpm.io/supply-chain-security

Additionaly, dependency updates are now delayed by 12 hours. It can potentially allow the community to detect compromise and pull the packages from the registry. The 12 hours mark should be reasonable with our response time to remediate security advisories and it puts us roughly in the time range it tooks to detect recent large scale supply chain attacks.

CategoryDev tools

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[x] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2026-04-09

Attachments

AttachmentsEmpty

References

Cross references

Show items referenced by request #47578

Referenced by request #47578

Artifact

rel #47138 17.6

Other

gerrit #37368

Follow-ups

Joris MASSON (jmasson)

2026-04-09 11:11

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Connected artifacts
- Added Fixed in: rel #47138

Tracker Workflow Manager (forge__tracker_workflow_manager)

2026-04-09 11:09

Implemented by @tgerbet with git #tuleap/tuleap/369305d987c6347f7f0bf9835dff7da4146074da.

Status changed from Under review to Closed
Close date set to 2026-04-09

Thomas Gerbet (tgerbet)

2026-04-08 17:18

See gerrit #37368.

Status changed from Under implementation to Under review

Public

Referenced by request #47578

Artifact

Other

Follow-ups