Safer autoinstall (#1348)

josephjclark · web-flow · commit 4945b0a3b38e · 2026-04-02T09:32:45.000+01:00
* set min-release-age

* fix command

* fix tests

* remove typesync (temporarily)

* security updates

* versions
diff --git a/package.json b/package.json
@@ -18,7 +18,7 @@
     "test:integration": "pnpm -r --filter=./integration-tests/* run test",
     "test:types": "pnpm -r --filter=./packages/* run test:types",
     "test": "pnpm -r --filter=./packages/* run test",
-    "typesync": "pnpm exec typesync && pnpm -r exec typesync && pnpm install"
+    "_typesync": "pnpm exec typesync && pnpm -r exec typesync && pnpm install"
   },
   "keywords": [],
   "author": "Open Function Group",
@@ -34,8 +34,7 @@
     "prettier": "^2.8.8",
     "rimraf": "^6.1.3",
     "semver": "^7.7.4",
-    "tar-stream": "^3.1.8",
-    "typesync": "^0.14.3"
+    "tar-stream": "^3.1.8"
   },
   "packageManager": "pnpm@10.17.1+sha512.17c560fca4867ae9473a3899ad84a88334914f379be46d455cbf92e5cf4b39d34985d452d2583baf19967fa76cb5c17bc9e245529d0b98745721aa7200ecaf7a"
 }
diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @openfn/cli
 
+## 1.31.1
+
+### Patch Changes
+
+- 945437c: When installing adaptors, only install versions that have been released for 24hours
+- Updated dependencies [945437c]
+  - @openfn/runtime@1.8.7
+
 ## 1.31.0
 
 ### Minor Changes
diff --git a/packages/cli/package.json b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@openfn/cli",
-  "version": "1.31.0",
+  "version": "1.31.1",
   "description": "CLI devtools for the OpenFn toolchain",
   "engines": {
     "node": ">=18",
@@ -35,6 +35,7 @@
   "devDependencies": {
     "@openfn/language-collections": "^0.8.3",
     "@openfn/language-common": "3.2.3",
+    "@types/lodash-es": "~4.17.12",
     "@types/mock-fs": "^4.13.4",
     "@types/node": "^18.19.130",
     "@types/rimraf": "^3.0.2",
diff --git a/packages/engine-multi/CHANGELOG.md b/packages/engine-multi/CHANGELOG.md
@@ -1,5 +1,12 @@
 # engine-multi
 
+## 1.10.8
+
+### Patch Changes
+
+- Updated dependencies [945437c]
+  - @openfn/runtime@1.8.7
+
 ## 1.10.7
 
 ### Patch Changes
diff --git a/packages/engine-multi/package.json b/packages/engine-multi/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@openfn/engine-multi",
-  "version": "1.10.7",
+  "version": "1.10.8",
   "description": "Multi-process runtime engine",
   "main": "dist/index.js",
   "type": "module",
diff --git a/packages/lightning-mock/CHANGELOG.md b/packages/lightning-mock/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @openfn/lightning-mock
 
+## 2.4.10
+
+### Patch Changes
+
+- Updated dependencies [945437c]
+  - @openfn/runtime@1.8.7
+  - @openfn/engine-multi@1.10.8
+
 ## 2.4.9
 
 ### Patch Changes
diff --git a/packages/lightning-mock/package.json b/packages/lightning-mock/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@openfn/lightning-mock",
-  "version": "2.4.9",
+  "version": "2.4.10",
   "private": true,
   "description": "A mock Lightning server",
   "main": "dist/index.js",
@@ -35,15 +35,13 @@
   },
   "devDependencies": {
     "@types/koa": "^2.15.0",
-    "@types/koa-route": "^3.2.9",
     "@types/koa-websocket": "^5.0.11",
     "@types/koa__router": "^12.0.5",
     "@types/node": "^18.19.130",
     "@types/nodemon": "1.19.3",
     "@types/phoenix": "^1.6.7",
     "@types/yargs": "^17.0.35",
     "ava": "5.3.1",
-    "koa-route": "^3.2.0",
     "koa-websocket": "^7.0.0",
     "query-string": "^8.2.0",
     "tslib": "^2.8.1",
diff --git a/packages/runtime/CHANGELOG.md b/packages/runtime/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @openfn/runtime
 
+## 1.8.7
+
+### Patch Changes
+
+- 945437c: When installing adaptors, only install versions that have been released for 24hours
+
 ## 1.8.6
 
 ### Patch Changes
diff --git a/packages/runtime/package.json b/packages/runtime/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@openfn/runtime",
-  "version": "1.8.6",
+  "version": "1.8.7",
   "description": "Job processing runtime.",
   "type": "module",
   "exports": {
diff --git a/packages/runtime/src/modules/repo.ts b/packages/runtime/src/modules/repo.ts
@@ -12,6 +12,13 @@ const defaultPkg = {
   dependencies: {},
 };
 
+const npmInstallFlags = [
+  '--no-audit',
+  '--no-fund',
+  '--no-package-lock',
+  `--min-release-age=1`,
+];
+
 export const defaultRepoPath = '/tmp/openfn/repo';
 
 type InstallList = Array<{ name: string; version: string }>;
@@ -60,16 +67,19 @@ export const install = async (
   }
 
   if (forInstalling.length) {
-    const flags = ['--no-audit', '--no-fund', '--no-package-lock'];
     const aliases = forInstalling.map(({ name, version }) => {
       const alias = `npm:${name}@${version}`;
       const aliasedName = `${name}_${version}`;
       return `${aliasedName}@${alias}`;
     });
+    log.info(`npm install ${npmInstallFlags.join(' ')} ${aliases.join(' ')}`);
     // TODO it would be nice to report something about what's going on under the hood here
-    await execFn(`npm install ${flags.join(' ')} ${aliases.join(' ')}`, {
-      cwd: repoPath,
-    });
+    await execFn(
+      `npm install ${npmInstallFlags.join(' ')} ${aliases.join(' ')}`,
+      {
+        cwd: repoPath,
+      }
+    );
     log.success(
       `Installed ${forInstalling
         .map(({ name, version }) => `${name}@${version}`)
diff --git a/packages/runtime/test/repo/install.test.ts b/packages/runtime/test/repo/install.test.ts
@@ -119,10 +119,11 @@ test.serial('installing should use the correct flags', async (t) => {
   const flags = cmd
     .split(' ')
     .filter((token: string) => token.startsWith('--'));
-  t.assert(flags.length === 3);
+  t.assert(flags.length === 4);
   t.assert(flags.includes('--no-audit'));
   t.assert(flags.includes('--no-fund'));
   t.assert(flags.includes('--no-package-lock'));
+  t.assert(flags.includes('--min-release-age=1'));
 });
 
 test.serial('install with the correct alias', async (t) => {
diff --git a/packages/ws-worker/CHANGELOG.md b/packages/ws-worker/CHANGELOG.md
@@ -1,5 +1,14 @@
 # ws-worker
 
+## 1.23.2
+
+### Patch Changes
+
+- 945437c: When installing adaptors, only install versions that have been released for 24hours
+- Updated dependencies [945437c]
+  - @openfn/runtime@1.8.7
+  - @openfn/engine-multi@1.10.8
+
 ## 1.23.1
 
 ### Patch Changes
diff --git a/packages/ws-worker/package.json b/packages/ws-worker/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@openfn/ws-worker",
-  "version": "1.23.1",
+  "version": "1.23.2",
   "description": "A Websocket Worker to connect Lightning to a Runtime Engine",
   "main": "dist/index.js",
   "type": "module",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@openfn/engine-multi",`
`3`		`- "version": "1.10.7",`
	`3`	`+ "version": "1.10.8",`
`4`	`4`	`"description": "Multi-process runtime engine",`
`5`	`5`	`"main": "dist/index.js",`
`6`	`6`	`"type": "module",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@openfn/runtime",`
`3`		`- "version": "1.8.6",`
	`3`	`+ "version": "1.8.7",`
`4`	`4`	`"description": "Job processing runtime.",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"exports": {`