Skip to content

Add per-language supply chain attack prevention via default cooldowns#3791

Open
pid1 wants to merge 4 commits into
semgrep:developfrom
pid1:develop
Open

Add per-language supply chain attack prevention via default cooldowns#3791
pid1 wants to merge 4 commits into
semgrep:developfrom
pid1:develop

Conversation

@pid1
Copy link
Copy Markdown
Contributor

@pid1 pid1 commented Mar 27, 2026
edited
Loading

Require cooldowns or minimum release ages before updating to newly published package versions.

This covers:

  • Dependabot
  • Renovate
  • pnpm
  • uv
  • bun

Additionally, detect unpinned dependencies in Python scripts using uv’s inline script metadata format.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Mar 27, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

leifdreizler
leifdreizler reviewed Mar 31, 2026
View reviewed changes
Comment thread generic/uv/security/uv-pyproject-missing-dependency-cooldown.yaml
@diptendur2c
Copy link
Copy Markdown

diptendur2c commented Apr 1, 2026

pnpm minimumReleaseAge was introduced in v10, would it not be FP for < 10 ? May be we can edit the message?

@pid1
Add npm/bun rules, fix uv pyproject [tool.uv] requirement, fix tests
298cb1a 
Address PR semgrep#3791 feedback:
- uv pyproject rule no longer requires [tool.uv] section to be present,
  as uv can be used without it. Regex broadened to match any TOML
  section header or key-value line. Confidence lowered to LOW.

New rules:
- npmrc-missing-min-release-age: flags .npmrc files without
  min-release-age set, also recommends ignore-scripts=true
- bunfig-missing-minimum-release-age: flags bunfig.toml files
  without minimumReleaseAge set under [install]

Test fixes:
- Consolidate test cases into single .generic files per rule,
  removing separate .txt files that caused semgrep --test failures
  (test framework requires ruleid annotations in each test file)
@0xDC0DE
Copy link
Copy Markdown
Contributor

0xDC0DE commented Apr 2, 2026

You currently don't have a lot of ok testcases. We usually expect at least one for each rule, could you take a look at adding these?

@0xDC0DE
Copy link
Copy Markdown
Contributor

0xDC0DE commented Apr 2, 2026

Overall, very useful contribution and well authored rules. Metadata and messages are great, path scoping is good.
🥇 Thanks for contributing, let's see if we can resolve the open comments and merge.

0xDC0DE
0xDC0DE requested changes Apr 2, 2026
View reviewed changes
Comment thread generic/bun/security/bunfig-missing-minimum-release-age.yaml Outdated
@pid1
Copy link
Copy Markdown
Contributor Author

pid1 commented Apr 2, 2026

@diptendur2c That was explicitly removed as per this feedback.

@pid1
Copy link
Copy Markdown
Contributor Author

pid1 commented Apr 2, 2026

@diptendur2c updated the pnpm phrasing and @0xDC0DE addressed your feedback RE ok cases.

@pid1 pid1 requested review from 0xDC0DE and leifdreizler April 3, 2026 18:43
This was referenced Apr 6, 2026
Open
Merged
@0xDC0DE
Copy link
Copy Markdown
Contributor

0xDC0DE commented Apr 9, 2026
edited
Loading

Thanks for this contribution, Jonathan. You were ahead of the curve in identifying cooldown rules as important, and the metadata and messaging across your rules are well done.

Since your PR was opened, however, we received an overlapping PR in #3805 that covers much of the same ground. After comparing both, I've decided to move forward with #3805 as the base because it uses language-aware parsers (yaml, json) instead of generic for structured config files, and validates that cooldown values meet a minimum threshold rather than only checking presence/absence (e.g., minimumReleaseAge: 0 would pass the generic + pattern-not-regex approach but is caught by the metavariable-comparison approach).

That said, your PR has two rules that #3805 does not cover:

npmrc-missing-min-release-age
uv-script-unpinned-dependency
We'd like to incorporate both of these. Would you be open to submitting them as a separate, smaller PR once #3805 is merged? You can ping me for review.

Thank you again for the contribution and for driving the discussion on this topic.

@0xDC0DE 0xDC0DE mentioned this pull request Apr 9, 2026
Merged
2 tasks
@leifdreizler leifdreizler removed their request for review April 9, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leifdreizler leifdreizler leifdreizler left review comments

@0xDC0DE 0xDC0DE Awaiting requested review from 0xDC0DE

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pid1 @CLAassistant @diptendur2c @0xDC0DE @leifdreizler