Schedule a Demo

Table of contents

Building a more secure npm ecosystem with Mend Renovate

Jamie Tanna November 6, 2025 5 min read
Dependency Management
Building a more secure npm ecosystem with Mend Renovate - Renovate npm post 1

Table of contents

Over this last year, we’ve seen significant attacks like the Shai-Hulud worm, the Nx build system compromise, and secrets being leaked to public GitHub Actions logs via the tj-actions/changed-files compromise, but I could spend the entirety of this article only listing different attacks, let alone talking about them.

As an industry and ecosystem, we’re feeling the increase in frequency. In 2024 alone, there was a reported year-over-year growth of 156% in malicious packages. Given Mend’s hosted Renovate Cloud platform is trusted by 1.3M+ repositories, we’re in a very strong position to secure consumers of open source software, as well as providing stronger defaults for users who self-host Renovate, too. In the wake of a number of high-profile npm supply chain security attacks, the Mend Renovate maintainers have decided that it’s best to enable this by default, for users who opt-in to the “best practices” configuration. 

To help customers better address these rising attacks, the maintainer team is building on top of the existing “best practices” configuration that’s available in Mend Renovate. The team has been working to provide even more secure-by-default configuration, which starts with targeting the npm ecosystem.

In the most recent release Mend Renovate 42, users of the “best practices” configuration will see dependency updates in the npm ecosystem now needing to pass a “minimum release age”, where a 3-day window needs to be met before Mend Renovate will suggest dependency updates. With this approach, organizations ensure that only proven, stable, and trustworthy dependency updates make it into production, ultimately reducing the risk of supply chain attacks while maintaining developer velocity. 

How would this help?

While the impact has been broad, these attacks typically exploit two common situations:

  • the exact version of a dependency is not pinned
  • the exact version of a dependency is pinned, and we attempt to update it very quickly after its release

Not pinning your dependencies can have valid reasons, for example, in the npm ecosystem, where you publish a package that has a few dependencies, and many other dependent packages.

If every time you bump a dependency version you need to release your package, then all dependent packages also need to bump their versions and release new versions, leading to a knock-on effect across the ecosystem.

Some of this can be simplified with automation – naturally with tools such as Mend Renovate or GitHub’s Dependabot but it still requires some level of review.

At the same time, not pinning our dependencies can lead to issues, where users may start downloading a new version of a package immediately.

With the recommendation of pinned dependencies, the next problem is how often we want to update. The existing defaults in a number of tools are “update as soon as there’s a new version available”, which can lead to a Pull Request for a malicious upgrade within minutes of its release.

Although that malicious dependency may not get into your developers’ machines, it’s possible it may be able to get secrets or other privileged information out of your automated build pipelines, or take advantage of prompt injection in your AI-powered code reviewers .

If we increase the time between the release of the package and the time that it lands in your project’s Pull Requests, this increases the time to allow security researchers and automated security tools to catch malicious intent in packages, reducing the supply chain attack possibilities.

How Mend Renovate is helping secure the ecosystem at large

As noted above, in the latest release of Mend Renovate, we’re enabling the enforcement of “minimum release age” checks for anyone using the “best practices” configuration when updating any packages that use the npm datasource, regardless of JavaScript/TypeScript package manager.

This enforcement will:

  • Ensure that a given dependency update contains metadata about when it was released (“release timestamp”)
  • Ensure that no branches are created until a minimum of 3 days have passed since the release was published

If package updates are found that do not match this, Mend Renovate’s Dependency Dashboard will contain an “awaiting status” entry and will require a human to explicitly request it, ensuring that only “safe” package updates are raised.

(A caveat here being that increased wait time doesn’t necessarily lead to all issues being caught – there could be very targeted attacks in place, or ways of avoiding obfuscation by using AI tooling on compromised machines to perform changes, and so although this significantly reduces impact, it isn’t a “silver bullet”)

By adding this to our “best practices” configuration, users who have opted in for industry wide best practices will be secured by default, and everyone else is able to add this too, for instance:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["security:minimumReleaseAgeNpm"]
}

Additionally, it is possible to tune this behaviour, making the window as long or as short as they wish, or bypass the “minimum release age” functionality for trusted internally developed packages.

For more details, check out the dedicated Minimum Release Age docs.

Defense in depth

As well as having Mend Renovate not raise updates until a given window has passed, it’s recommended to set up multiple layers of defense.

Where possible, enable this functionality in your package manager, so developer machines are protected, and/or your automated build pipelines will fail until the release window has passed.

At the time of writing pnpm 10.6 and yarn 4.2.0 add support for this, and we’re seeing other package managers looking at adding capabilities, too.

What’s next?

Following on from the work on this release, we’ll be working to improve the interplay between Mend Renovate and package managers such as pnpm and yarn to integrate functionality more tightly.

We’re continuing to investigate other package ecosystems where this functionality can be enabled for our “best practices” configuration, and further secure the ecosystem!

If you have any questions or feedback, always feel free to post to Mend Renovate’s Discussion Forum.

Automate dependency updates

See Mend Renovate

About the author

Building a more secure npm ecosystem with Mend Renovate - ?s=96&d=mm&r=g
Jamie Tanna

Jamie is a maintainer of Mend Renovate, where he also holds the role of community manager, so you’ll probably see him around! He’s been maintaining Open Source projects you may have heard of for the last decade, and has spent the last ~5 years working heavily in the dependency management space and helping enterprises ship better software.

Recent resources

Building a more secure npm ecosystem with Mend Renovate - Blog Maven Update Dependencies Automatically

Automatically Update Dependencies in Maven: A Step-By-Step Guide

Rhys Arkins Jul 3, 2025
Dependency Updates

Learn how to automate updating Maven dependencies. Discover manual, CLI, and Renovate methods to keep your project up to date.

Read more
Building a more secure npm ecosystem with Mend Renovate - Mend Renovate Enterprise Cloud launch blog

Mend Renovate Enterprise Cloud: Dependency Updates at Scale

Tiffany Jennings Jan 15, 2025
Dependency Updates

Announcing the launch of our cloud-based solution for automated dependency updates.

Read more
Building a more secure npm ecosystem with Mend Renovate - understanding software dependency package health post

Vital Signs of Software Dependencies: Understanding Package Health

Sarah Moglia Oct 15, 2024
Dependency Updates

Learn how package health data empowers developers to update safely and efficiently.

Read more

© 2025 Mend.io (White Source Ltd.) All rights reserved.