Over the past year, the software supply chain has faced several large-scale security incidents, including the Shai-Hulud worm, the compromise of the Nx build system, and the exposure of secrets in public GitHub Actions logs due to the tj-actions/changed-files vulnerability. These events represent only a small portion of the attacks that have recently impacted open-source development environments.
The software industry and its surrounding ecosystem continue to experience a sharp increase in the frequency of such threats. In 2024 alone, malicious packages grew by 156% compared to the previous year. With Mend’s hosted Renovate Cloud platform already trusted by over 1.3 million repositories, the company holds a strong position to enhance the security posture of open-source software consumers and to deliver stronger default configurations for self-hosted Renovate users. In response to several high-profile npm supply chain breaches, the Mend Renovate maintainer team decided to enable additional protective mechanisms by default for those who opt into the “best practices” configuration.
To strengthen defenses against these evolving attacks, the maintainer team has expanded upon the existing “best practices” configuration available in Mend Renovate. The objective is to provide a more secure-by-default setup, initially focusing on the npm ecosystem.
In the latest Mend Renovate 42 release, users of the “best practices” configuration will now encounter dependency updates in the npm ecosystem that must satisfy a “minimum release age” requirement. Specifically, a three-day waiting period must pass after a package release before Mend Renovate proposes dependency updates. This safeguard ensures that only verified, stable, and trustworthy dependency updates reach production environments, significantly lowering the likelihood of supply chain attacks while preserving development velocity.
Why This Matters
Although these incidents vary in scope, most exploit two recurring conditions:
- the exact version of a dependency is not pinned, or
- the exact version is pinned, but the update occurs too soon after release.
In some cases, avoiding strict version pinning is justified—particularly within the npm ecosystem—where a published package may have multiple dependencies and numerous dependent packages.
When every dependency version bump requires the release of a new package version, all dependent projects must also update and release their own versions, producing a cascading effect across the ecosystem.
Automation can alleviate part of this burden. Tools such as Mend Renovate and GitHub’s Dependabot streamline the process of updating dependencies, yet a degree of human review remains essential to ensure safety.
At the same time, leaving dependencies unpinned introduces its own risks, as users may start downloading new versions of packages immediately after release.
With the growing recommendation to pin dependency versions, a new question arises: how frequently should updates occur? Many existing tools operate under a default “update immediately” policy, which can result in a Pull Request for a potentially malicious update within minutes of its publication.
Even if a harmful dependency never reaches developer workstations, it may still exfiltrate secrets or privileged information from automated build pipelines, or exploit prompt injection vulnerabilities within AI-assisted code review systems.
Extending the period between a package’s release and its appearance in a project’s Pull Requests provides valuable time for security researchers and automated scanning tools to detect malicious intent, reducing the overall risk of supply chain compromise.
Strengthening the Ecosystem with Mend Renovate
As introduced in the newest release, Mend Renovate now enforces the “minimum release age” rule for all users employing the “best practices” configuration. This enforcement applies to any npm datasource, regardless of the JavaScript or TypeScript package manager in use.
The policy ensures that:
- each dependency update contains metadata specifying the release timestamp, and
- no update branches are created until at least three days have passed since the package release date.
When package updates fail to meet these criteria, Mend Renovate’s Dependency Dashboard displays an “awaiting status” entry that requires explicit human approval. This process guarantees that only verified and “safe” updates are promoted to production environments.
It is important to note that longer waiting periods do not eliminate all risks. Targeted attacks, sophisticated evasion tactics, or AI-assisted obfuscation on compromised systems remain possible. Nevertheless, this feature substantially reduces the likelihood and potential impact of malicious package propagation, even if it cannot serve as a universal solution.
By integrating this mechanism into the “best practices” configuration, users adhering to recognized industry security standards benefit from enhanced protection by default. Others may also enable the feature manually and adjust it as needed—for example:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["security:minimumReleaseAgeNpm"]
}Defense in Depth
In addition to delaying dependency updates until the defined waiting period has elapsed, implementing multiple layers of defense remains essential.
Whenever possible, the same functionality should be activated within package managers themselves, ensuring that developer machines remain protected and that automated build pipelines halt updates until the defined release window has passed.
As of this writing, pnpm 10.6 and yarn 4.2.0 both include support for this mechanism, and other package managers are evaluating similar capabilities.
What’s Next
Future development aims to deepen integration between Mend Renovate and popular package managers such as pnpm and yarn, providing a more seamless and consistent experience.
Further work is also planned to extend this functionality to additional package ecosystems, making it available within the “best practices” configuration and further strengthening overall software supply chain security.
For community discussions, questions, and technical feedback, topics can be shared directly through the Mend Renovate Discussion Forum.
If you have any questions about Mend Renovate or would like to request a trial version of the product, please leave your contact information:
