From 46a4d7df84758563c929f6e90cdfe2b27fb6267c Mon Sep 17 00:00:00 2001
From: Benoit TRAVERS <benoit.travers.fr@gmail.com>
Date: Sun, 28 Jun 2026 02:20:43 +0200
Subject: [PATCH] chore: enforce 7-day minimum release age for deps and
 dependabot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the gap where freshly published versions could be adopted the
same day they hit the registry — a supply-chain risk window.

- pnpm-workspace.yaml: add `minimumReleaseAge: 10080` (7 days) and
  `minimumReleaseAgeStrict: true`. This repo had neither, so a fresh
  version had no maturity delay at all.
- .github/dependabot.yml: add a matching 7-day `cooldown` to both the
  npm and github-actions update entries. Dependabot does not read
  pnpm-workspace.yaml, so the policy must be mirrored natively.

Mirrors btravstack/temporal-contract#259.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml | 6 ++++++
 pnpm-workspace.yaml    | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 2223f08..e5a1359 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -20,6 +20,10 @@ updates:
       # Only allow @types/node patch/minor updates (block major version bumps)
       - dependency-name: "@types/node"
         update-types: ["version-update:semver-major"]
+    # Mirror pnpm's minimumReleaseAge: wait before proposing freshly published versions.
+    # Dependabot does not read pnpm-workspace.yaml, so this must be configured here.
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 10
 
   # GitHub Actions
@@ -28,4 +32,6 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 5
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 0dd8404..807755c 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -43,6 +43,13 @@ allowBuilds:
   esbuild: true
   lefthook: true
 
+# Supply-chain maturity delay: don't adopt a freshly published version until it
+# has been on the registry for 7 days (10080 minutes). Strict mode also validates
+# the committed lockfile against this cutoff, so a same-day-published transitive
+# dep fails the check instead of slipping in silently.
+minimumReleaseAge: 10080
+minimumReleaseAgeStrict: true
+
 auditConfig:
   ignoreGhsas:
     # vite `server.fs.deny` bypass on Windows alternate paths. Reaches us only