From 57bb9f27bd7035110bb94e6fb29a1399fa6bac31 Mon Sep 17 00:00:00 2001
From: vikyw89 <vikyw89@gmail.com>
Date: Mon, 22 Jun 2026 14:54:10 +0000
Subject: [PATCH] chore: enforce 3-day minimum release age for dependencies

Supply-chain hardening. pnpm 10.16+ native minimumReleaseAge refuses to
resolve any dependency version published less than 3 days ago (4320 min),
so newly-published malicious versions get caught/yanked before we install.
Workspace-wide, so it covers root, apps/* and packages/server. Only gates
new resolutions; versions already pinned in the lockfile are unaffected.

Closes #4678

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pnpm-workspace.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 4c1316ebcd..9bac3ddb6b 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -4,4 +4,8 @@ packages:
   - "apps/schedules"
   - "packages/server"
 
+# Supply-chain hardening: refuse package versions younger than 3 days (4320 min),
+# so newly-published malicious versions get caught/yanked before we install them.
+minimumReleaseAge: 4320
+