Context
The .npmrc min-release-age=1 rule (reject npm packages published <24h ago, a supply-chain hardening measure) was temporarily disabled on 2026-05-22 to install @conduction/docusaurus-preset@3.20.0 before its 24h cooldown had elapsed.
3.20.0 was needed for the SetupSteps component used in the new spec-driven-development academy tutorial.
Action (tomorrow, 2026-05-23)
3.20.0 was published 2026-05-21T12:40Z, so it clears the 24h window on 2026-05-22T12:40Z. Once past that:
Why this matters
With the rule off, all npm packages lose the 24h cooldown, not just the first-party preset. This widens the supply-chain attack surface (a freshly-compromised transitive dep could be pulled in). The intended pattern for fresh first-party releases is the per-install override npm install --min-release-age=0, not disabling the rule globally — so this should be reverted promptly.
Context
The
.npmrcmin-release-age=1rule (reject npm packages published <24h ago, a supply-chain hardening measure) was temporarily disabled on 2026-05-22 to install@conduction/docusaurus-preset@3.20.0before its 24h cooldown had elapsed.3.20.0 was needed for the
SetupStepscomponent used in the new spec-driven-development academy tutorial.Action (tomorrow, 2026-05-23)
3.20.0 was published 2026-05-21T12:40Z, so it clears the 24h window on 2026-05-22T12:40Z. Once past that:
min-release-age=1in.npmrc(uncomment the line; remove the TEMPORARILY DISABLED note).npm installto confirm the lockfile resolves cleanly under the restored rule.Why this matters
With the rule off, all npm packages lose the 24h cooldown, not just the first-party preset. This widens the supply-chain attack surface (a freshly-compromised transitive dep could be pulled in). The intended pattern for fresh first-party releases is the per-install override
npm install --min-release-age=0, not disabling the rule globally — so this should be reverted promptly.