From c98d899250c0b3b58cca42e2ce1e2273c3be4d17 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <tom.p@posthog.com>
Date: Thu, 28 May 2026 15:39:45 -0700
Subject: [PATCH] chore: configure dependency minimum release age / cooldown

Adds a minimum release age ("cooldown") to this repo's package-manager
configuration so newly published dependency versions wait ~7 days before they
can be adopted. This reduces exposure to compromised or unstable packages that
are caught and unpublished shortly after release.

Applied per package manager found in the repo:
- Dependabot (.github/dependabot.yml): cooldown.default-days: 7 per ecosystem
- pnpm (pnpm-workspace.yaml): minimumReleaseAge: 10080 (minutes)
- npm (.npmrc): min-release-age=7 (days)
- yarn (.yarnrc.yml): npmMinimalAgeGate: "7d"
- bun (bunfig.toml): minimumReleaseAge = 604800 (seconds)
- uv (pyproject.toml): exclude-newer = "7 days"

Generated and verified with semgrep (package_managers.* rules); the check passes
after this change.
---
 pnpm-workspace.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 4de91a3..6a99d27 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,2 +1,4 @@
 packages:
   - '.'
+
+minimumReleaseAge: 10080