Skip to content

ci: pin safe-chain to v1.4.7 and reduce minimum package age to 72h#5132

Merged
traefiker merged 3 commits intotraefik:masterfrom
mdeliatf:fix/pin-safe-chain
Apr 13, 2026
Merged

ci: pin safe-chain to v1.4.7 and reduce minimum package age to 72h#5132
traefiker merged 3 commits intotraefik:masterfrom
mdeliatf:fix/pin-safe-chain

Conversation

@mdeliatf
Copy link
Copy Markdown
Contributor

@mdeliatf mdeliatf commented Apr 13, 2026

Description

  • Pin safe-chain to v1.4.7 instead of always pulling latest, the install script is downloaded from a specific release and verified with a SHA-512 checksum before execution, preventing supply chain attacks via a compromised installer.
  • Reduce SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS from 360 to 72 (3 days).

Fix https://github.com/traefik/hub-issues/issues/2782

Good PR checkboxes

  • Change has been tested
  • Added/Updated tests
  • Added/Updated stories
  • PR follows conventions
  • Labels are set
  • Project is linked

Good Review checkboxes

ℹ️ Copy the snippet and paste in the review field to fill it 
- [ ] I've tested the changes
- [ ] I've agreed on the unit tests (soon to come)
- [ ] I've checked the stories
- [ ] I've read the code and understood it
- [ ] I don't have any more questions
- [ ] I've described any optional improvements
- [ ] I checked PR follows [conventions](https://github.com/traefik/faency#how-to-contribute)

@mdeliatf mdeliatf requested a review from darkweaver87 April 13, 2026 10:37
@mdeliatf mdeliatf self-assigned this Apr 13, 2026
@mdeliatf mdeliatf changed the title fix: pin safe-chain to v1.4.7 and reduce minimum package age to 72h ci: pin safe-chain to v1.4.7 and reduce minimum package age to 72h Apr 13, 2026
@mdeliatf mdeliatf closed this Apr 13, 2026
@mdeliatf mdeliatf reopened this Apr 13, 2026
darkweaver87
darkweaver87 approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@darkweaver87 darkweaver87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

gndz07
gndz07 approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@gndz07 gndz07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@traefiker traefiker merged commit d3a406e into traefik:master Apr 13, 2026
4 checks passed
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

🎉 This PR is included in version 12.1.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gndz07 gndz07 gndz07 approved these changes

+1 more reviewer

@darkweaver87 darkweaver87 darkweaver87 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mdeliatf mdeliatf

Labels

kind/bug/fix a bug fix released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mdeliatf @darkweaver87 @gndz07 @traefiker