Skip to content

chore: configure dependency minimum release age / cooldown#60575

Merged
Piccirello merged 1 commit into
masterfrom
chore/dependency-minimum-release-age
May 29, 2026
Merged

chore: configure dependency minimum release age / cooldown#60575
Piccirello merged 1 commit into
masterfrom
chore/dependency-minimum-release-age

Conversation

@Piccirello
Copy link
Copy Markdown
Member

@Piccirello Piccirello commented May 28, 2026

Adds a minimum release age ("cooldown") to this repo's package-manager
configuration so newly published dependency versions wait ~7 days before they
can be adopted. This reduces exposure to compromised or unstable packages that
are caught and unpublished shortly after release.

Applied per package manager found in the repo:

  • Dependabot (.github/dependabot.yml): cooldown.default-days: 7 per ecosystem
  • pnpm (pnpm-workspace.yaml): minimumReleaseAge: 10080 (minutes)
  • npm (.npmrc): min-release-age=7 (days)
  • yarn (.yarnrc.yml): npmMinimalAgeGate: "7d"
  • bun (bunfig.toml): minimumReleaseAge = 604800 (seconds)
  • uv (pyproject.toml): exclude-newer = "7 days"

Generated and verified with semgrep (package_managers.* rules); the check passes
after this change.

@Piccirello
chore: configure dependency minimum release age / cooldown
7a5431d 
Adds a minimum release age ("cooldown") to this repo's package-manager
configuration so newly published dependency versions wait ~7 days before they
can be adopted. This reduces exposure to compromised or unstable packages that
are caught and unpublished shortly after release.

Applied per package manager found in the repo:
- Dependabot (.github/dependabot.yml): cooldown.default-days: 7 per ecosystem
- pnpm (pnpm-workspace.yaml): minimumReleaseAge: 10080 (minutes)
- npm (.npmrc): min-release-age=7 (days)
- yarn (.yarnrc.yml): npmMinimalAgeGate: "7d"
- bun (bunfig.toml): minimumReleaseAge = 604800 (seconds)
- uv (pyproject.toml): exclude-newer = "7 days"

Generated and verified with semgrep (package_managers.* rules); the check passes
after this change.
@assign-reviewers-posthog assign-reviewers-posthog Bot requested a review from a team May 28, 2026 22:41
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 28, 2026

Reviews (1): Last reviewed commit: "chore: configure dependency minimum rele..." | Re-trigger Greptile

@Piccirello Piccirello enabled auto-merge (squash) May 28, 2026 23:10
@Piccirello Piccirello merged commit 87e3cf0 into master May 29, 2026
138 checks passed
@Piccirello Piccirello deleted the chore/dependency-minimum-release-age branch May 29, 2026 08:03
@deployment-status-posthog
Copy link
Copy Markdown

deployment-status-posthog Bot commented May 29, 2026
edited
Loading

Deploy status

Environment Status Deployed At Workflow
dev ✅ Deployed 2026-05-29 08:26 UTC Run
prod-us ✅ Deployed 2026-05-29 08:46 UTC Run
prod-eu ✅ Deployed 2026-05-29 08:43 UTC Run

rorylshanks pushed a commit that referenced this pull request May 29, 2026
@Piccirello @rorylshanks
chore: configure dependency minimum release age / cooldown (#60575)
dccbb29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@webjunkie webjunkie webjunkie approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Piccirello @webjunkie