chore(security): npm supply-chain cooldown — pin deps + .npmrc release-age#23
Closed
decentraliser wants to merge 2 commits into
Closed
chore(security): npm supply-chain cooldown — pin deps + .npmrc release-age#23decentraliser wants to merge 2 commits into
decentraliser wants to merge 2 commits into
Conversation
…e-age Hardening against the Shai-Hulud / TanStack npm+PyPI supply-chain wave. - add .npmrc: minimum-release-age=10080 (7d cooldown) + save-exact - pin all 13 third-party direct deps to exact resolved versions; kept @emblemvault/* deps as ranges - regenerate package-lock.json (synced) - npm audit: 5 pre-existing transitive advisories (2 high) — left for a separate pass L3-37 Claude
L3-37 Claude
2 tasks
Contributor
Author
|
Superseded by #21 — commits cherry-picked there ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardening the emblemai CLI (published
@emblemvault/agentwallet) against the Shai-Hulud / TanStack npm+PyPI supply-chain wave (2026-05-12/13). PR from the working fork..npmrc:minimum-release-age=10080(7-day cooldown) +save-exact=true@emblemvault/*deps (auth-sdk) as^rangespackage-lock.json(synced)Recommended follow-ups (not in this PR)
npm publish --provenanceso users whonpm i -gcan verify the tarball's build origin.Caveats
npm ci+npm auditbefore publish is the real protection.npm audit: 5 pre-existing transitive advisories (2 high) — not addressed here.Test plan
npm ci && npm run typecheck && npm test