chore(security): add /oi-ship-review ship gate + pin minimumReleaseAge#10
Open
matthiasdebernardini wants to merge 1 commit into
Open
Conversation
Author
|
this is a nice to have for me since I plan to use this and want a way to scan before I deploy, feel free to close it! |
| sharp: false | ||
| workerd: true | ||
|
|
||
| minimumReleaseAge: 10080 # 1 week; pnpm refuses any version published more recently |
Owner
There was a problem hiding this comment.
I'd put 2d, should be more than enough (malicious packages are usually handled within hours)
Owner
|
@matthiasdebernardini its good to have in general! Left a small nit and also there is a merge conflict since Vocs are removed (it was also an exception so thats good) |
lukaisailovic
approved these changes
Jun 22, 2026
Adds a project-scoped Claude Code skill that gates npm dependency changes before a box image is baked on the build machine — the one supply-chain surface left by the no-egress, single-tenant box model (customers never run npm; the image is built locally and copied over). The gate is single-pass and uses only native tooling: exact allowBuilds allowlist check, numeric minimumReleaseAge enforcement, full change-surface diff (lockfile + manifests + workspace + .npmrc + patches), frozen install, npm audit signatures, pnpm ignored-builds, fallow audit on changed source, and the full CI-required suite (build/typecheck/test/validate:templates/e2e/lint). Also pins minimumReleaseAge: 2880 (2 days) so pnpm install natively refuses any version published more recently — closing the gap where only minimumReleaseAgeExclude was set. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01MQKPKjFLeugJLitRjSc1sA
39c4f5a to
8c4b6ca
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a project-scoped Claude Code skill,
/oi-ship-review, that gates npm dependency changes before a box image is baked — plus pinsminimumReleaseAgeso pnpm enforces a release-age window natively.Why
OpenIslands boxes are single-tenant, no-egress, no-hosting, and the image is built on the developer's machine and copied over. Customers never run
npm, so the npm supply-chain risk collapses to one surface: a malicious package version landing in the lockfile on the build machine, where it can run atpnpm install/pnpm buildtime. This gate guards that surface; it's an adopt-with-a-gate step, not a rewrite.The gate (single-pass, native tooling only)
allowBuildsallowlist check (onlyesbuildmay run a build script)minimumReleaseAgeenforcement (now pinned to10080= 1 week)pnpm-workspace.yaml+.npmrc+patches/**pnpm install --frozen-lockfile(never mutates the tree under review)npm audit signatures— verification failure / network-inconclusive ⇒ NO-GOpnpm ignored-builds— new build-script requests flaggedfallow auditon changed sourcebuild · typecheck · test · validate:templates · e2e · lintEnds in one GO / NO-GO verdict.
The one config change
minimumReleaseAge: 10080added topnpm-workspace.yaml, closing the gap where onlyminimumReleaseAgeExcludewas set —pnpm installnow refuses any version published within the last week.Validation
Ran
/oi-ship-reviewagainst this change: GO. All controls active, signatures clean (996 registry sigs / 185 attestations), fallow 0 findings, full suite green (591 tests, 4 templates valid, 3 e2e templates passed).🤖 Generated with Claude Code
https://claude.ai/code/session_0147ouwz5Qo6AnADMq9QPpr4