From b2acaf155eea2ccd85567fa87f9790dbc481f0ec Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 2 Apr 2026 08:07:38 -0400
Subject: [PATCH] chore: add minimum release age to .npmrc

Add minimum-release-age=10080 (pnpm, minutes) and min-release-age=7
(npm v11+, days) to enforce a 7-day waiting period before installing
newly published packages, reducing supply chain attack risk.
---
 .npmrc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.npmrc b/.npmrc
index 847970f8b..8ecf23943 100644
--- a/.npmrc
+++ b/.npmrc
@@ -6,6 +6,11 @@ link-workspace-packages=false
 loglevel=error
 prefer-workspace-packages=false
 
+# Minimum release age - wait 7 days before installing newly published packages
+# pnpm uses minimum-release-age (minutes), npm v11+ uses min-release-age (days)
+minimum-release-age=10080
+min-release-age=7
+
 # Trust policy - prevent downgrade attacks
 trust-policy=no-downgrade
 trust-policy-exclude[]=undici@6.21.3
\ No newline at end of file