Skip to content

chore: Minimum release age of one week#938

Open
lanesawyer wants to merge 1 commit into
google:masterfrom
lanesawyer:lane/934-minimum-release-age
Open

chore: Minimum release age of one week#938
lanesawyer wants to merge 1 commit into
google:masterfrom
lanesawyer:lane/934-minimum-release-age

Conversation

@lanesawyer
Copy link
Copy Markdown

@lanesawyer lanesawyer commented Apr 1, 2026

This PR resolves #934 by adding a min-release-age of 7 days to the .npmrc file. It alo updates the minimum Node version to 24, since that's the version that has the npm CLI with the min-release-age feature.

@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 1, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@lanesawyer
Copy link
Copy Markdown
Author

lanesawyer commented Apr 1, 2026

Ah, getting some build failures because --before is being used, which is mutually exclusive with min-release-age. I'll take a look at that!

@lanesawyer lanesawyer mentioned this pull request Apr 1, 2026
Open
@jbms
Copy link
Copy Markdown
Collaborator

jbms commented Apr 2, 2026

Yes, seems like an npm bug.

A few things to note:

(1) Neuroglancer has a lot of build-time JavaScript dependencies but very few runtime JavaScript dependencies, and the runtime JavaScript dependencies are unlikely to pose security risks assuming they aren't malicious. The build-time dependencies aren't exposed and therefore only malicious packages are a risk there. Therefore, there is little reason to proactively update dependencies --- instead that can be done just as needed for new functionality.

(2) The min-release-age setting is only relevant when updating the lockfile, but I guess npm also just validates it all the time? That is unfortunate because in some case we may want to specifically use a newer version for some reason and we don't want a check failing as a result.

@lanesawyer
Copy link
Copy Markdown
Author

lanesawyer commented Apr 2, 2026

  1. Yeah, makes sense. I noticed Dependabot isn't configured to run regularly (and I was actually about to propose using it) but if it's not a need that sounds good!

  2. Yeah, that's why I'm a big fan of pnpm, they have a setting for excluding certain packages from the minimum release age check. After a quick search, I'm not finding npm has the same option yet... Of all the package managers, npm is the one moving slowest in this regard 😞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

minimumReleaseAge in NPM configuration to reduce likelyhood of security issues

2 participants

@lanesawyer @jbms