Commit 7bf7fc2
authored
security: implement NPM supply chain attack protection with 3-day age gate (#846)
## **Description**
Implements critical NPM supply chain attack protection by adding a 3-day
minimum age gate for package installations. This security enhancement
prevents the installation of freshly published packages that could
contain malicious code, providing a crucial defense against supply chain
attacks.
The implementation follows [instructions from the security
team](https://consensys.slack.com/archives/C0318JSUBM3/p1760719594306489)
for protecting against ongoing NPM supply chain threats, requiring all
packages to be at least 3 days old before installation while maintaining
exceptions for trusted MetaMask and LavaMoat packages.
## **Related issues**
Fixes: https://consensyssoftware.atlassian.net/browse/DSYS-242
## **Manual testing steps**
- [x] Verify yarn version upgraded to 4.10.2+ for age gate support
- [x] Run `yarn install` to confirm age gate configuration works without
blocking existing dependencies
- [x] Confirm `@metamask/*` and `@lavamoat/*` packages are pre-approved
and can bypass age restrictions
- [x] Test that the repository builds and runs correctly with new yarn
version
- [ ] Attempt to install a very recent package to verify age gate blocks
it (optional security validation)
## **Screenshots/Recordings**
Not applicable - this is a security infrastructure change without visual
components.
## **Pre-merge author checklist**
- [x] I have reviewed the Files changed tab
- [x] Yarn version updated to 4.10.2 to support npmMinimalAgeGate
feature
- [x] Added npmMinimalAgeGate: 4320 (3 days in minutes) to .yarnrc.yml
- [x] Added npmPreapprovedPackages list with trusted @metamask/* and
@lavamoat/* packages
- [x] Verified yarn install works correctly with new configuration
- [x] All existing scripts and workflows continue to function
- [ ] I have tested this PR on my local machine
## **Pre-merge reviewer checklist**
- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
## **Security Impact**
**Protection Against Supply Chain Attacks:**
- **3-Day Age Gate**: Prevents installation of packages newer than 3
days, allowing community time to identify and report malicious packages
- **Trusted Package Bypass**: @metamask/* and @lavamoat/* packages can
bypass restrictions for urgent security updates
- **Zero Developer Friction**: Protection works transparently without
changing development workflows
**Before:**
- Any NPM package could be installed immediately upon publication
- Vulnerable to fresh supply chain attacks and malicious package
injections
- No protection against compromised packages in the first hours/days
**After:**
- All external packages must be at least 72 hours old before
installation
- Trusted MetaMask and LavaMoat packages can bypass for emergency
updates
- Automatic protection against fresh malicious packages with zero
workflow impact
## **Technical Details**
**Configuration Changes:**
- **package.json**: Updated `packageManager` from `[email protected]` to
`[email protected]`
- **.yarnrc.yml**: Added `npmMinimalAgeGate: 4320` (3 days in minutes)
- **.yarnrc.yml**: Added `npmPreapprovedPackages` with `["@metamask/*",
"@lavamoat/*"]`
**Yarn Lock Updates:**
- Minor typescript patch hash update (expected with yarn version change)
- No breaking dependency changes
**Security Alignment:**
- Follows MetaMask security best practices for supply chain protection
- Implements defense-in-depth strategy alongside existing
@lavamoat/allow-scripts protection
- Compatible with existing LavaMoat yarn plugin configuration
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> Enable a 3‑day NPM package age gate in Yarn and bump Yarn to 4.10.3,
updating constraints and lockfile accordingly.
>
> - **Config/Security**:
> - Add `npmMinimalAgeGate: 4320` and `npmPreapprovedPackages`
(`@metamask/*`, `@lavamoat/*`) in `.yarnrc.yml`.
> - **Tooling**:
> - Update `packageManager` from `[email protected]` to `[email protected]` in
`package.json`.
> - Update `yarn.config.cjs` constraint to expect `[email protected]`.
> - **Lockfile**:
> - Update `yarn.lock` TypeScript patch resolution/checksum.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
4d63fe0. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->1 parent 721f31b commit 7bf7fc2
4 files changed
+13
-4
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
128 | 128 | | |
129 | 129 | | |
130 | 130 | | |
131 | | - | |
| 131 | + | |
132 | 132 | | |
133 | 133 | | |
134 | 134 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
207 | 207 | | |
208 | 208 | | |
209 | 209 | | |
210 | | - | |
| 210 | + | |
211 | 211 | | |
212 | 212 | | |
213 | 213 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
20703 | 20703 | | |
20704 | 20704 | | |
20705 | 20705 | | |
20706 | | - | |
| 20706 | + | |
20707 | 20707 | | |
20708 | 20708 | | |
20709 | 20709 | | |
20710 | | - | |
| 20710 | + | |
20711 | 20711 | | |
20712 | 20712 | | |
20713 | 20713 | | |
| |||
0 commit comments