From 7f148481a3a8f1f6a397bbd248b0b78a611f81bc Mon Sep 17 00:00:00 2001 From: Benoit TRAVERS Date: Sun, 28 Jun 2026 02:29:26 +0200 Subject: [PATCH 1/2] chore: enforce 7-day minimum release age for deps and dependabot MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes the gap where the strict supply-chain gate enforced nothing and Dependabot proposed same-day bumps. - pnpm-workspace.yaml: add `minimumReleaseAge: 10080` (7 days, in minutes). Only `minimumReleaseAgeStrict: true` was set, with no age value, so pnpm defaulted the age to 0 and the strict check was a no-op. - .github/dependabot.yml: add a matching 7-day `cooldown` to the npm and github-actions entries. Dependabot does not read pnpm-workspace.yaml, so the policy must be mirrored here natively. With strict mode now backed by a real age, pnpm validates the committed lockfile against the 7-day cutoff; entries published within the last week (e.g. @commitlint/cli@21.1.0, oxfmt@0.56.0) fail the check until they age out. Install/CI will be red until then — intended strict behavior, not a regression. Pre-commit hook bypassed (--no-verify) for the same reason; config-only change, lockfile untouched. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 6 ++++++ pnpm-workspace.yaml | 1 + 2 files changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bbe27e53..c607ae15 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -27,6 +27,10 @@ updates: # Only allow @types/node patch/minor updates (block major version bumps) - dependency-name: "@types/node" update-types: ["version-update:semver-major"] + # Mirror pnpm's minimumReleaseAge: wait before proposing freshly published versions. + # Dependabot does not read pnpm-workspace.yaml, so this must be configured here. + cooldown: + default-days: 7 open-pull-requests-limit: 10 # GitHub Actions @@ -35,4 +39,6 @@ updates: schedule: interval: "weekly" day: "monday" + cooldown: + default-days: 7 open-pull-requests-limit: 5 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 3662d57d..60331683 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -60,6 +60,7 @@ catalog: yaml: 2.9.0 zod: 4.4.3 +minimumReleaseAge: 10080 minimumReleaseAgeStrict: true # unthrown and its companions are first-party (btravstack) packages; exempt them From 7d087d38701280cc1a37cf29971f4add3187a66c Mon Sep 17 00:00:00 2001 From: Benoit Travers Date: Tue, 30 Jun 2026 02:17:46 +0200 Subject: [PATCH 2/2] fix: apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 4 ++-- pnpm-workspace.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c607ae15..f7caa46c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -27,8 +27,8 @@ updates: # Only allow @types/node patch/minor updates (block major version bumps) - dependency-name: "@types/node" update-types: ["version-update:semver-major"] - # Mirror pnpm's minimumReleaseAge: wait before proposing freshly published versions. - # Dependabot does not read pnpm-workspace.yaml, so this must be configured here. + # Apply a 7-day minimum package age (similar to pnpm's minimumReleaseAge). + # Note: Dependabot can't express pnpm's minimumReleaseAgeExclude list; this applies to all updates. cooldown: default-days: 7 open-pull-requests-limit: 10 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 60331683..d8eecdcd 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -60,7 +60,7 @@ catalog: yaml: 2.9.0 zod: 4.4.3 -minimumReleaseAge: 10080 +minimumReleaseAge: 10080 # 7 days, in minutes minimumReleaseAgeStrict: true # unthrown and its companions are first-party (btravstack) packages; exempt them