From 014ed4abdbb5ec5cc84072eabab30d08053250ac Mon Sep 17 00:00:00 2001 From: Benoit TRAVERS Date: Fri, 26 Jun 2026 02:25:00 +0200 Subject: [PATCH] chore: enforce 7-day minimum release age for deps and dependabot pnpm's minimumReleaseAgeStrict was set without an actual minimumReleaseAge value, so the strict lockfile check was a no-op and no delay was enforced. Set a 7-day (10080 minute) minimum so freshly published versions are neither resolved nor accepted in the committed lockfile. Dependabot does not read pnpm-workspace.yaml, so it proposed bumps the same day a version was published. Add a matching 7-day cooldown to both the npm and github-actions update entries to mirror the pnpm policy. Note: with Strict enabled, installs/CI will fail until lockfile entries published within the last 7 days (e.g. semver@7.8.5) age past the cutoff. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 6 ++++++ pnpm-workspace.yaml | 1 + 2 files changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e2d9e044..cbd320e8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,6 +23,10 @@ updates: # Only allow @types/node updates that match the Node.js major version (24.x) - dependency-name: "@types/node" update-types: ["version-update:semver-major"] + # Mirror pnpm's minimumReleaseAge: wait before proposing freshly published versions. + # Dependabot does not read pnpm-workspace.yaml, so this must be configured here. + cooldown: + default-days: 7 open-pull-requests-limit: 10 # GitHub Actions @@ -31,4 +35,6 @@ updates: schedule: interval: "weekly" day: "monday" + cooldown: + default-days: 7 open-pull-requests-limit: 5 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 518e6f14..a3f33758 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -83,6 +83,7 @@ allowBuilds: protobufjs: true ssh2: true +minimumReleaseAge: 10080 minimumReleaseAgeStrict: true # First-party btravstack packages — the maturity delay guards against # third-party supply-chain risk, which does not apply to our own org's libraries.