-
Notifications
You must be signed in to change notification settings - Fork 12.9k
security: gate agent-requested npm installs by package release age#2749
Open
boazdori wants to merge 2 commits into
Open
security: gate agent-requested npm installs by package release age #2749boazdori wants to merge 2 commits into
boazdori wants to merge 2 commits into
Conversation
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Review follow-up to Task 3: 10s AbortController timeout so the approval handler can't hang on a slow registry (abort → fail-closed); honor only exact-pinned name@version overrides (drop bare-name bypass); hoist NpmMeta type; add scoped-package coverage. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@boazdori
boazdori
requested review from
gabi-simons and
gavrielc
as code owners
June 12, 2026 13:26
sturdy4days
commented
Jun 12, 2026
Adopted on our production fork today — this closes a gap we'd documented but never wired: our root supply-chain policy (3-day minimumReleaseAge, exact-pin-only exclusions with human sign-off) governed the host tree's pnpm installs while agent-requested container packages sailed past it on a single approval tap. Gate placement before any config mutation / image rebuild is right, and fail-closed on unverifiable packages matches how the pnpm policy behaves. The exact-pinned allowReleaseAge override mirroring minimumReleaseAgeExclude semantics is a nice touch — same mental model both places. Tests transplanted and pass against our tree. +1.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
install_packagesrequest, requested npm packages are now checked against the same 3-dayminimumReleaseAgethe host's pnpm policy already enforces (pnpm-workspace.yaml). Packages whose selected version was published less than 3 days ago are blocked unless an exact-pinnedname@versionoverride is supplied (human sign-off).AbortControllertimeout so the approval handler can't hang on a slow/unreachable registry.Why
The host source tree already enforces
minimumReleaseAgefor supply-chain safety, but agent-requested container packages bypassed it entirely — a freshly-published malicious version could be installed into an agent container on a single approval. This closes that gap by reusing the same threshold, and the gate runs before any config mutation or image rebuild, so a blocked request changes nothing.Test Plan
checkNpmReleaseAgeunit tests: old version passes, too-new flagged, exact-pinned override exempts, registry failure → unverifiable (fail-closed), scoped package resolves end-to-endparseSpecunit tests for scoped/unscoped, versioned/unversioned specsupdateContainerConfigJson/buildAgentGroupImagepnpm run buildclean; full host test suite green🤖 Generated with Claude Code