Skip to content

Add 3-day minimum release age to pnpm and mise#133

Open
gtbuchanan wants to merge 1 commit into
mainfrom
chore/minimum-release-age
Open

Add 3-day minimum release age to pnpm and mise#133
gtbuchanan wants to merge 1 commit into
mainfrom
chore/minimum-release-age

Conversation

@gtbuchanan
Copy link
Copy Markdown
Owner

@gtbuchanan gtbuchanan commented Jun 2, 2026
edited
Loading

Summary

Adds a 3-day minimum release age at the package-manager and tool-manager layers so newly published versions sit in quarantine before they can be installed, matching the shared Renovate preset''s existing minimumReleaseAge: "3 days". Layered defense: Renovate gates direct-dep update PRs, while pnpm gates the entire transitive tree at install/resolution time.

  • pnpm (pnpm-workspace.yaml): minimumReleaseAge: 4320 (3 days, in minutes), extending pnpm 11''s 1-day default. The pre-existing minimumReleaseAgeExclude: ['"'"'@gtbuchanan/*'"'"'] mirrors the preset''s own-package carve-out.
  • mise (mise.toml): minimum_release_age = "3d". Only filters fuzzy/latest resolution (e.g. a manual mise up --bump); installs of the exact pins are unaffected, and Renovate already gates automated tool bumps at 3 days. Included mainly for parity/intent.

Transient CI

The lockfile is intentionally left unchanged. Tightening pnpm to 3 days means any transitive dep published within the last 3 days fails the install-time check until it ages out — currently tinyglobby@0.2.17 (published 2026-05-30 19:54 UTC), which clears the window at 2026-06-02 19:54 UTC. The ci job will be red until then, after which it passes with no lockfile changes needed. dependency-review is unaffected (no dependency diff).

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 2, 2026

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ❌ 5 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
See the Details below.

License Issues

pnpm-lock.yaml

PackageVersionLicenseIssue Type
@augment-vir/assert31.71.3LicenseRef-bad-mit-or-cc0-1.0Incompatible License
@augment-vir/common31.71.3LicenseRef-bad-mit-or-cc0-1.0Incompatible License
@augment-vir/core31.71.3LicenseRef-bad-mit-or-cc0-1.0Incompatible License
@date-vir/duration8.3.2LicenseRef-bad-mit-or-cc0-1.0Incompatible License
caniuse-lite1.0.30001793CC-BY-4.0Incompatible License
Allowed Licenses: 0BSD, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, Unlicense

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@augment-vir/assert 31.71.3 UnknownUnknown
npm/@augment-vir/common 31.71.3 UnknownUnknown
npm/@augment-vir/core 31.71.3 UnknownUnknown
npm/@clack/core 1.4.0 UnknownUnknown
npm/@clack/prompts 1.5.0 UnknownUnknown
npm/@date-vir/duration 8.3.2 UnknownUnknown
npm/@emnapi/core 1.10.0 🟢 3.4
Details
CheckScoreReason
Maintained🟢 1027 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/runtime 1.10.0 🟢 3.4
Details
CheckScoreReason
Maintained🟢 1027 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@noble/hashes 2.2.0 UnknownUnknown
npm/@oxc-project/types 0.132.0 UnknownUnknown
npm/@paralleldrive/cuid2 3.3.0 UnknownUnknown
npm/@pkgr/core 0.3.6 UnknownUnknown
npm/@rolldown/binding-android-arm64 1.0.2 UnknownUnknown
npm/@rolldown/binding-darwin-arm64 1.0.2 UnknownUnknown
npm/@rolldown/binding-darwin-x64 1.0.2 UnknownUnknown
npm/@rolldown/binding-freebsd-x64 1.0.2 UnknownUnknown
npm/@rolldown/binding-linux-arm-gnueabihf 1.0.2 UnknownUnknown
npm/@rolldown/binding-linux-arm64-gnu 1.0.2 UnknownUnknown
npm/@rolldown/binding-linux-arm64-musl 1.0.2 UnknownUnknown
npm/@rolldown/binding-linux-ppc64-gnu 1.0.2 UnknownUnknown
npm/@rolldown/binding-linux-s390x-gnu 1.0.2 UnknownUnknown
npm/@rolldown/binding-linux-x64-gnu 1.0.2 UnknownUnknown
npm/@rolldown/binding-linux-x64-musl 1.0.2 UnknownUnknown
npm/@rolldown/binding-openharmony-arm64 1.0.2 UnknownUnknown
npm/@rolldown/binding-wasm32-wasi 1.0.2 UnknownUnknown
npm/@rolldown/binding-win32-arm64-msvc 1.0.2 UnknownUnknown
npm/@rolldown/binding-win32-x64-msvc 1.0.2 UnknownUnknown
npm/@rolldown/pluginutils 1.0.1 UnknownUnknown
npm/@unrs/resolver-binding-android-arm-eabi 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-android-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-darwin-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-darwin-x64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-freebsd-x64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm-gnueabihf 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm-musleabihf 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-loong64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-loong64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-ppc64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-riscv64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-riscv64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-s390x-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-x64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-x64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-openharmony-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-wasm32-wasi 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-arm64-msvc 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-ia32-msvc 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-x64-msvc 1.12.2 UnknownUnknown
npm/baseline-browser-mapping 2.10.32 UnknownUnknown
npm/bignumber.js 9.3.1 🟢 3.7
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Maintained🟢 1014 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 9binaries present in source code
SAST⚠️ 0no SAST tool detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Fuzzing⚠️ 0project is not fuzzed
npm/builtin-modules 5.2.0 🟢 4
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 2Found 8/30 approved changesets -- score normalized to 2
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 34 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/caniuse-lite 1.0.30001793 🟢 4.5
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Maintained🟢 1023 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
SAST⚠️ 0no SAST tool detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Fuzzing⚠️ 0project is not fuzzed
npm/comment-parser 1.4.7 UnknownUnknown
npm/diff 9.0.0 🟢 3.5
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 109 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ -1No tokens found
Code-Review⚠️ 0Found 1/28 approved changesets -- score normalized to 0
Dangerous-Workflow⚠️ -1no workflows found
Pinned-Dependencies⚠️ -1no dependencies found
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/electron-to-chromium 1.5.364 UnknownUnknown
npm/enhanced-resolve 5.22.1 🟢 6
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 4Found 6/14 approved changesets -- score normalized to 4
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/error-causes 3.0.2 UnknownUnknown
npm/fast-string-truncated-width 3.0.3 UnknownUnknown
npm/fast-string-width 3.0.2 UnknownUnknown
npm/fast-uri 3.1.2 UnknownUnknown
npm/fast-wrap-ansi 0.2.2 UnknownUnknown
npm/get-east-asian-width 1.6.0 🟢 4
Details
CheckScoreReason
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1packaging workflow not detected
Maintained⚠️ 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Code-Review🟢 4Found 12/25 approved changesets -- score normalized to 4
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/get-tsconfig 4.14.0 UnknownUnknown
npm/globals 17.6.0 🟢 4.4
Details
CheckScoreReason
Code-Review🟢 4Found 14/30 approved changesets -- score normalized to 4
Security-Policy🟢 10security policy file detected
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/katex 0.16.47 🟢 4.5
Details
CheckScoreReason
Code-Review🟢 7Found 17/23 approved changesets -- score normalized to 7
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow⚠️ 0dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST🟢 10SAST tool is run on all commits
npm/node-releases 2.0.46 🟢 4
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 1027 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
SAST⚠️ 0no SAST tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
npm/object-deep-merge 2.0.1 UnknownUnknown
npm/rolldown 1.0.2 UnknownUnknown
npm/synckit 0.11.13 UnknownUnknown
npm/tapable 2.3.3 🟢 5.6
Details
CheckScoreReason
Maintained🟢 1029 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review⚠️ 0Found 0/17 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/tinyexec 1.2.3 UnknownUnknown
npm/tinyglobby 0.2.16 UnknownUnknown
npm/unrs-resolver 1.12.2 UnknownUnknown
npm/vite 8.0.14 🟢 7
Details
CheckScoreReason
Code-Review🟢 7Found 19/26 approved changesets -- score normalized to 7
Maintained🟢 1030 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions🟢 5detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 5binaries present in source code
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
SAST🟢 7SAST tool is not run on all commits -- score normalized to 7

Scanned Files

  • pnpm-lock.yaml

@gtbuchanan @claude
Add 3-day minimum release age to pnpm and mise
467b7a8 
Match the shared Renovate preset's 3-day quarantine at the package
manager and tool-manager layers for defense in depth.

- pnpm: set minimumReleaseAge to 4320 (3 days, in minutes), extending
  pnpm 11's 1-day default. Covers the full transitive tree at install,
  not just direct-dep PRs. The existing minimumReleaseAgeExclude for
  @gtbuchanan/* mirrors the preset's own-package carve-out.
- mise: set minimum_release_age to 3d. Only filters fuzzy/latest
  resolution (e.g. manual `mise up --bump`); exact pins install
  unaffected and Renovate already gates automated bumps at 3 days.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gtbuchanan gtbuchanan force-pushed the chore/minimum-release-age branch from dbc48fd to 467b7a8 Compare June 2, 2026 03:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gtbuchanan