From db6c31a37bc078d0d06203f04a110da579a45aa2 Mon Sep 17 00:00:00 2001 From: aliceout Date: Fri, 3 Jul 2026 09:47:40 +0300 Subject: [PATCH] ci(dependabot): add a 2-day cooldown to clear the pnpm release-age gate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI enforces a pnpm minimumReleaseAge supply-chain gate (24 h) at install: a lockfile entry younger than a day fails with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION. Dependabot's weekly PRs keep grabbing same-day npm releases, so they land red until the versions age (seen on #161 and its recreation #164). Give the npm ecosystem a 2-day cooldown so Dependabot only proposes versions already past the 24 h gate — PRs are born green. Only npm is affected (the gate is pnpm-specific; github-actions / docker are left as-is). Security advisories use their own path and aren't delayed. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 53e53cbf..17ab9eb1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -25,6 +25,15 @@ updates: directory: "/" schedule: interval: "weekly" + # Don't propose a version until it has aged past CI's pnpm + # `minimumReleaseAge` supply-chain gate (24 h). Without this, a + # same-day npm release lands in the weekly PR and CI red-flags it + # with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION until the version + # ages — a recurring false-red. 2 days clears the 24 h gate with + # margin for the create→CI-install delay. Security advisories come + # through their own path and aren't held back by this. + cooldown: + default-days: 2 open-pull-requests-limit: 5 groups: minor-and-patch: