Skip to content

chore: enforce 14-day package cooldown via tooling#78

Merged
wamonroe merged 1 commit into
mainfrom
enforce-package-cooldown
Jun 15, 2026
Merged

chore: enforce 14-day package cooldown via tooling#78
wamonroe merged 1 commit into
mainfrom
enforce-package-cooldown

Conversation

@wamonroe

Copy link
Copy Markdown
Owner

Summary

Replaces the proxy-registry approach in CI with tooling-layer enforcement of the 14-day package age rule. This immediately fixes the red main caused by Dependabot merging packages the proxy didn't have yet.

Details

  • bunfig.toml — adds minimumReleaseAge = 1209600 (14 days in seconds) so bun refuses to resolve packages newer than 14 days during local installs/updates.
  • .npmrc removed — CI now installs from public npm (which has every version). Locally, the MDM-managed ~/.npmrc still routes through the corporate proxy automatically.
  • Workflow env: NPM_REGISTRY blocks removed — no longer needed in CI.
  • Dependabot cooldown: default-days: 14 added to the bun ecosystem entry — Dependabot will never propose a version younger than 14 days, keeping the lockfile clean for frozen installs everywhere.

The combined effect: the lockfile can only receive packages ≥14 days old (two gates: bun's minimumReleaseAge for local, Dependabot's cooldown for automated bumps). bun install --frozen-lockfile in CI then succeeds against any registry.

Replaces the proxy-registry approach with tooling-layer enforcement:

- Adds bunfig.toml with minimumReleaseAge = 1209600 (14 days) so bun
  refuses to resolve packages newer than 14 days during local installs.
- Removes project-local .npmrc; CI now installs from public npm (always
  has all versions), while locally the MDM-managed ~/.npmrc still routes
  through the corporate proxy automatically.
- Removes NPM_REGISTRY workflow env blocks (no longer needed in CI).
- Adds Dependabot cooldown: default-days: 14 on the bun ecosystem entry
  so Dependabot never proposes a version younger than 14 days, keeping
  the lockfile perpetually clean for frozen installs anywhere.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@wamonroe wamonroe self-assigned this Jun 15, 2026
@wamonroe wamonroe merged commit 601767a into main Jun 15, 2026
1 check passed
@wamonroe wamonroe deleted the enforce-package-cooldown branch June 15, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant