ci(renovate): enforce 3-day minimum release age for npm packages (#462)

* ci(renovate): enforce 3-day minimum release age for npm packages

Extend the Renovate config with the official 'security:minimumReleaseAgeNpm'
preset so that Renovate waits 3 days after publication before creating PRs
for any npm/pnpm dependency. This adds a buffer against unpublished or
freshly-broken releases (e.g. malicious packages, npm unpublish window,
transient registry/lockfile resolution issues).

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

diff --git a/renovate.json b/renovate.json
index e3cfe0eb822eae21bb2144ad2a1a36280c654f89..ded9cdb44f50f3b0d3c6b72ea379a62529e967d2 100644 (file)
--- a/renovate.json
+++ b/renovate.json
@@ -6,7 +6,8 @@
     ":configMigration",
     "group:allNonMajor",
     "schedule:daily",
-    ":maintainLockFilesWeekly"
+    ":maintainLockFilesWeekly",
+    "security:minimumReleaseAgeNpm"
   ],
   "packageRules": [
     {