From 6b8d33f53baa8cb59f6cfa2b30aa85280d1619f4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=B4me=20Benoit?= Date: Tue, 26 May 2026 20:29:55 +0200 Subject: [PATCH] ci(renovate): enforce 3-day minimum release age for npm packages (#462) * ci(renovate): enforce 3-day minimum release age for npm packages Extend the Renovate config with the official 'security:minimumReleaseAgeNpm' preset so that Renovate waits 3 days after publication before creating PRs for any npm/pnpm dependency. This adds a buffer against unpublished or freshly-broken releases (e.g. malicious packages, npm unpublish window, transient registry/lockfile resolution issues). * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> --- renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index e3cfe0e..ded9cdb 100644 --- a/renovate.json +++ b/renovate.json @@ -6,7 +6,8 @@ ":configMigration", "group:allNonMajor", "schedule:daily", - ":maintainLockFilesWeekly" + ":maintainLockFilesWeekly", + "security:minimumReleaseAgeNpm" ], "packageRules": [ { -- 2.53.0