Skip to content

chore: enforce 14-day package cooldown via tooling#32

Open
wamonroe wants to merge 1 commit into
mainfrom
enforce-package-cooldown
Open

chore: enforce 14-day package cooldown via tooling#32
wamonroe wants to merge 1 commit into
mainfrom
enforce-package-cooldown

Conversation

@wamonroe

Copy link
Copy Markdown
Owner

Summary

Replaces the proxy-registry CI approach with tooling-layer enforcement of the 14-day package age rule. Also hardens the deploy workflow.

Details

  • .npmrc — replaced registry=${NPM_REGISTRY} with min-release-age=14 (days) so npm refuses packages newer than 14 days locally.
  • Node bumped to 24 — ships npm 11 which supports min-release-age; was Node 22 (npm 10, silently ignored the setting).
  • npm installnpm ci — true frozen install in CI; fails if package-lock.json is out of sync.
  • NPM_REGISTRY env block removed from deploy.yml.
  • .github/dependabot.yml created — npm + github-actions ecosystems, with cooldown: default-days: 14 on npm so Dependabot never proposes versions younger than 14 days.

Replaces the proxy-registry approach with tooling-layer enforcement:

- Rewrites .npmrc to min-release-age=14 so npm refuses packages newer
  than 14 days during local installs (requires npm 11+).
- Removes NPM_REGISTRY workflow env block from deploy.yml.
- Bumps Node to 24 (ships npm 11) so min-release-age is respected in CI.
- Switches npm install to npm ci for a true frozen install in CI.
- Adds .github/dependabot.yml with cooldown: default-days: 14 on the
  npm ecosystem so Dependabot never proposes packages younger than 14d.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant