fix: move minimum-release-age to pnpm-workspace.yaml, fix Socket package downgrades (#136)

jdalton · web-flow · commit 0145a822fcb0 · 2026-04-03T23:31:09.000-04:00
* fix: move minimum-release-age to pnpm-workspace.yaml, fix Socket package downgrades

- Move pnpm's minimum-release-age from .npmrc to pnpm-workspace.yaml
  to avoid npm v11+ warning about unknown config key
- Keep min-release-age=7 in .npmrc for npm
- Fix update script: bypass age gate for @socketsecurity/* and
  @socketregistry/* via env override (prevents downgrades)

* fix(test): replace flaky clock-skew cache tests with real TTL expiration test

The two clock-skew tests didn't actually test clock skew — they just did
set/get/clear without creating far-future entries. They were slow
(filesystem IO) and caused CI worker timeouts. Replaced with a single
memoized TTL expiration test that verifies entries expire after TTL.
diff --git a/.npmrc b/.npmrc
@@ -2,9 +2,8 @@ ignore-scripts=true
 link-workspace-packages=false
 loglevel=error
 prefer-workspace-packages=false
-# Minimum release age - wait 7 days before installing newly published packages
-# pnpm uses minimum-release-age (minutes), npm v11+ uses min-release-age (days)
-minimum-release-age=10080
+# Minimum release age for npm v11+ (days).
+# pnpm equivalent is in pnpm-workspace.yaml (minimumReleaseAge).
 min-release-age=7
 
 trust-policy=no-downgrade
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -0,0 +1,3 @@
+settings:
+  # Wait 7 days (10080 minutes) before installing newly published packages.
+  minimumReleaseAge: 10080
diff --git a/scripts/update.mjs b/scripts/update.mjs
@@ -44,7 +44,8 @@ async function main() {
       process.stdout.write('\r\x1b[K')
     }
 
-    // Always update Socket packages (bypass taze maturity period).
+    // Update Socket packages — bypass minimum-release-age since these are
+    // our own packages and we trust them immediately.
     if (!quiet) {
       logger.progress('Updating Socket packages...')
     }
@@ -60,12 +61,12 @@ async function main() {
         '-r',
       ],
       {
+        env: { ...process.env, npm_config_minimum_release_age: '0' },
         shell: WIN32,
         stdio: quiet ? 'pipe' : 'inherit',
       },
     )
 
-    // Clear progress line.
     if (!quiet) {
       process.stdout.write('\r\x1b[K')
     }
diff --git a/test/unit/cache-with-ttl.test.mts b/test/unit/cache-with-ttl.test.mts
@@ -467,52 +467,20 @@ describe.sequential('cache-with-ttl', () => {
       await refreshCache.clear()
     })
 
-    it('should treat far-future expiresAt as expired (clock skew protection)', async () => {
-      // This tests the fix in cache-with-ttl.ts:190-203
-      // The isExpired() function checks if expiresAt > now + ttl * 2
-      // to detect clock skew or corruption
-
-      const clockSkewCache = createTtlCache({
-        ttl: 1000, // 1 second TTL
-        prefix: 'clock-skew-test',
-        memoize: true, // Use memoization to test the isExpired logic directly
-      })
-
-      // Set a value - this will create an entry with normal expiration
-      await clockSkewCache.set('key', 'value')
-
-      // Verify value is cached
-      expect(await clockSkewCache.get<string>('key')).toBe('value')
-
-      // The internal isExpired function will reject entries where:
-      // expiresAt > Date.now() + ttl * 2
-      // This protects against clock skew where the system clock jumps forward
-
-      // Note: We can't easily test the actual clock skew scenario without
-      // manipulating cacache internals, but the fix is in place and handles:
-      // - Entries with far-future expiresAt (>2x TTL) are treated as expired
-      // - Normal future expiresAt values (within TTL) work correctly
-
-      await clockSkewCache.clear()
-    })
-
-    it('should handle slightly future expiresAt within reasonable bounds', async () => {
-      const normalCache = createTtlCache({
-        ttl: 5000, // 5 second TTL
-        prefix: 'normal-future-cache',
+    it('should expire entries and return undefined after TTL (memoized)', async () => {
+      const shortCache = createTtlCache({
+        ttl: 200,
+        prefix: 'short-memo-cache',
+        memoize: true,
       })
 
-      // Set a value - expiresAt will be Date.now() + 5000
-      await normalCache.set('key', 'value')
-
-      // Value should be retrievable immediately (expiresAt is in future as expected)
-      const result = await normalCache.get<string>('key')
-      expect(result).toBe('value')
+      await shortCache.set('key', 'value')
+      expect(await shortCache.get<string>('key')).toBe('value')
 
-      // Only far-future values (>2x TTL) should be treated as expired
-      // This tests that normal future expiresAt values work correctly
+      await new Promise(resolve => setTimeout(resolve, 300))
+      expect(await shortCache.get<string>('key')).toBeUndefined()
 
-      await normalCache.clear()
+      await shortCache.clear()
     })
   })
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+settings:`
	`2`	`+ # Wait 7 days (10080 minutes) before installing newly published packages.`
	`3`	`+ minimumReleaseAge: 10080`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ async function main() {`
`44`	`44`	`process.stdout.write('\r\x1b[K')`
`45`	`45`	`}`
`46`	`46`
`47`		`- // Always update Socket packages (bypass taze maturity period).`
	`47`	`+ // Update Socket packages — bypass minimum-release-age since these are`
	`48`	`+ // our own packages and we trust them immediately.`
`48`	`49`	`if (!quiet) {`
`49`	`50`	`logger.progress('Updating Socket packages...')`
`50`	`51`	`}`
`@@ -60,12 +61,12 @@ async function main() {`
`60`	`61`	`'-r',`
`61`	`62`	`],`
`62`	`63`	`{`
	`64`	`+ env: { ...process.env, npm_config_minimum_release_age: '0' },`
`63`	`65`	`shell: WIN32,`
`64`	`66`	`stdio: quiet ? 'pipe' : 'inherit',`
`65`	`67`	`},`
`66`	`68`	`)`
`67`	`69`
`68`		`- // Clear progress line.`
`69`	`70`	`if (!quiet) {`
`70`	`71`	`process.stdout.write('\r\x1b[K')`
`71`	`72`	`}`