Skip to content

ci(dependabot): 2-day cooldown to clear the pnpm release-age gate#165

Merged
aliceout merged 1 commit into
mainfrom
chore/dependabot-cooldown
Jul 3, 2026
Merged

ci(dependabot): 2-day cooldown to clear the pnpm release-age gate#165
aliceout merged 1 commit into
mainfrom
chore/dependabot-cooldown

Conversation

@aliceout

@aliceout aliceout commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Problème

La CI applique un gate supply-chain pnpm minimumReleaseAge = 24h à l'install : toute entrée du lockfile publiée depuis moins d'un jour échoue avec ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION.

Dependabot (hebdo) rattrape régulièrement des versions publiées le jour même → ses PR naissent rouges jusqu'à ce que les versions vieillissent. Vu sur #161 (14 paquets) puis sa recréation #164 (3 paquets : @hono/node-server, tsx, undici).

Fix

Un cooldown: default-days: 2 sur l'écosystème npm → Dependabot ne propose que des versions ayant déjà dépassé le gate 24h. Les PR naissent vertes.

  • Seul npm est concerné (le gate est spécifique à pnpm ; github-actions / docker inchangés).
  • Les advisories de sécurité passent par leur propre chemin et ne sont pas retardées.

Aucune migration, aucun code touché — config Dependabot uniquement.

🤖 Generated with Claude Code

CI enforces a pnpm minimumReleaseAge supply-chain gate (24 h) at
install: a lockfile entry younger than a day fails with
ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION. Dependabot's weekly PRs keep
grabbing same-day npm releases, so they land red until the versions age
(seen on #161 and its recreation #164).

Give the npm ecosystem a 2-day cooldown so Dependabot only proposes
versions already past the 24 h gate — PRs are born green. Only npm is
affected (the gate is pnpm-specific; github-actions / docker are left
as-is). Security advisories use their own path and aren't delayed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@aliceout aliceout merged commit 0f91e11 into main Jul 3, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant