build: enable minimumReleaseAge to mitigate dependency chain attacks

This change configures pnpm's `minimumReleaseAge` setting to 1 day (1440 minutes). This is a security measure to mitigate dependency chain attacks, where malicious actors publish a new version of a dependency with malicious code and then trick users into updating to it before it can be discovered and reported.

By delaying the adoption of new releases, we reduce the window of opportunity for such attacks. The list of excluded packages contains trusted and frequently updated dependencies from the Angular team, which are considered safe to use without this delay.

Author: alan-agius4

.github/workflows/build.yml

@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: pnpm/action-setup@f2b2b233b538f500472c7274c7012f57857d8ce0
+        with:
+          with_install: false
       - uses: actions/setup-node@d7a11313b581b306c961b506cfc8971208bb03f6
         with:
           node-version: 24
-      - uses: pnpm/action-setup@f2b2b233b538f500472c7274c7012f57857d8ce0
-        with:
-          version: 9
       - run: pnpm i --frozen-lockfile
       - run: pnpm check-format
       - run: pnpm release-build

package.json

@@ -27,6 +27,12 @@
   "license": "MIT",
   "description": "Web Codegen Scorer is a tool for evaluating the quality of web code generated by Large Language Models (LLMs).",
   "type": "module",
+  "packageManager": "[email protected]",
+  "engines": {
+    "npm": "Please use pnpm instead of NPM to install dependencies",
+    "yarn": "Please use pnpm instead of Yarn to install dependencies",
+    "pnpm": "10.16.1"
+  },
   "bugs": {
     "url": "https://github.com/angular/web-codegen-scorer/issues"
   },

pnpm-workspace.yaml

@@ -1,3 +1,7 @@
 packages:
   - .
   - report-app
+
+# The minimum age of a release to be considered for dependency installation.
+# The value is in minutes (1440 minutes = 1 day).
+minimumReleaseAge: 1440