Skip to content

chore: pin pnpm to 11.1.0 + 7-day minimumReleaseAge#165

Open
tirumerla wants to merge 1 commit into
mainfrom
chore/pnpm11-min-release-age
Open

chore: pin pnpm to 11.1.0 + 7-day minimumReleaseAge#165
tirumerla wants to merge 1 commit into
mainfrom
chore/pnpm11-min-release-age

Conversation

@tirumerla
Copy link
Copy Markdown
Collaborator

@tirumerla tirumerla commented May 12, 2026

Summary

  • Pins packageManager: pnpm@11.1.0 (latest)
  • Adds engines.pnpm: ">=11"
  • Adds pnpm.minimumReleaseAge: 10080 (= 7 days, in minutes)
  • Adds pnpm.minimumReleaseAgeExclude: ["@openzeppelin/*"]

Why

Supply-chain hardening response to the recent npm ecosystem incidents. minimumReleaseAge prevents pnpm from installing any package version published less than 7 days ago, giving compromised releases time to be detected and yanked before they land in our installs.

First-party @openzeppelin/* packages are excluded so internal releases continue to install immediately.

Test plan

  • CI passes with the new lockfile
  • pnpm install works locally on a fresh clone
  • No transitive resolution drift introduced by the pnpm 10 → 11 bump

@tirumerla
chore: pin pnpm to 11.1.0 and enforce 7-day minimum release age
901f538 
- packageManager: pnpm@11.1.0
- engines.pnpm: >=11
- pnpm.minimumReleaseAge: 10080 (7 days, in minutes)
- pnpm.minimumReleaseAgeExclude: ["@openzeppelin/*"]

Adopts the supply-chain hardening recommendation from the recent npm
ecosystem incidents — packages must be at least 7 days old before pnpm
will install them. First-party @OpenZeppelin packages are excluded so
internal releases can be consumed immediately.
@tirumerla tirumerla requested a review from stevep0z as a code owner May 12, 2026 08:15
@netlify
Copy link
Copy Markdown

netlify Bot commented May 12, 2026
edited
Loading

Deploy Preview for openzeppelin-docs-v2 ready!

Name Link
🔨 Latest commit 901f538
🔍 Latest deploy log https://app.netlify.com/projects/openzeppelin-docs-v2/deploys/6a02e1a12e7de600081385b3
😎 Deploy Preview https://deploy-preview-165--openzeppelin-docs-v2.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevep0z stevep0z Awaiting requested review from stevep0z stevep0z is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tirumerla