Harden dependency update handling#571
Open
bgentry wants to merge 1 commit into
Open
Conversation
Add npm configuration that enforces a minimum release age, blocks git package refs, and requires the expected Node/npm engine versions. CI, release packaging, and Docker builds now use Node 24.14.1 with `npm ci` so installs follow the committed lockfile and project npm policy. Extend Dependabot coverage and cooldowns for Docker, Docker Compose, and GitHub Actions so regular dependency update PRs are delayed and reviewed through the usual workflow. Pin Docker and compose image refs to explicit patch tags and digests, including Postgres 18 for local development, so image changes happen through visible dependency updates instead of silent tag drift.
bgentry
force-pushed
the
bg/dep-updates-3-day-delay
branch
from
1c19811 to
cdb3209
Compare
brandur
reviewed
May 14, 2026
| # syntax=docker/dockerfile:1 | ||
|
|
||
| FROM node:22-alpine AS build-ui | ||
| FROM node:24.14.1-alpine@sha256:8510330d3eb72c804231a834b1a8ebb55cb3796c3e4431297a24d246b8add4d5 AS build-ui |
Collaborator
There was a problem hiding this comment.
There's some ergonomic downside to attaching these big SHAs to everything — it just makes updating these things harder.
I'm not sure there's that big security benefit either. You're making the build more reproducible I suppose, but there's no way for a human to distinguish the safety of one of these giant SHA hashes from another giant SHA hash. i.e. If you dropped in a compromised hash here on a future upgrade, there's no way I'd be able to recognize it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependency update safety is mostly handled by Dependabot timing and npm install behavior, so this adds project npm settings that reject packages published less than three days ago, block git dependency refs, and require the expected Node/npm engines.
CI, release packaging, and Docker builds now use Node 24.14.1 with
npm ciso installs follow the committed lockfile and project npm policy. Dependabot also covers Docker Compose and GitHub Actions with cooldowns, while Docker and Compose image refs are pinned to patch tags plus digests so image changes happen through reviewable dependency PRs instead of silent tag drift.