Add npm and pip cooldown defaults

[MikeMcQuaid]

• delay new npm and pip packages by one day so freshly published compromises are less likely to land in builds
• apply the npm cooldown in shared helpers so Node formula dependency installs inherit it too
• cover the new defaults in node_spec.rb and formula_spec.rb

---

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests (excluding integration tests) for your changes? Here's an example.
• Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?

---

• AI was used to generate or assist with generating this PR. Please specify below how you used AI to help you, and what steps you have taken to manually verify the changes.

OpenAI Codex used with manual review and edits.

---

[Copilot]

Pull request overview

This PR introduces default “cooldown” behavior for dependency installation via npm and pip to reduce the chance of consuming very recently published packages, and adds unit test coverage for the new defaults.

Changes:

• Add --min-release-age=1 to npm install argument helpers in Language::Node.
• Add a pip “uploaded prior to” cutoff (24h) to Formula#std_pip_args.
• Update node_spec.rb and formula_spec.rb to assert the new default arguments.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
Library/Homebrew/language/node.rb	Adds npm cooldown flag to shared npm argument helpers.
Library/Homebrew/formula.rb	Adds pip cutoff argument and supporting time require.
Library/Homebrew/test/language/node_spec.rb	Updates Node helper tests for new npm args and stubs env setup.
Library/Homebrew/test/formula_spec.rb	Adds coverage for the new pip cutoff argument formatting.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cho-m]

This will only impact build-time packages when run in build-isolation. And nothing when no-build-isolation as we use --no-deps.

To cooldown a Python formula's dependencies, need to update the resource resolver:

brew/Library/Homebrew/utils/pypi.rb

Lines 510 to 515 in 7c387d9

	def self.pip_report(packages, python_name: "python", print_stderr: false)
	return [] if packages.blank?
	command = [
	Formula[python_name].opt_libexec/"bin/python", "-m", "pip", "install", "-q", "--disable-pip-version-check",
	"--dry-run", "--ignore-installed", "--report=/dev/stdout", *packages.map(&:to_s)

---

EDIT: Though this may want to wait for bump support, i.e. #21888, so that the cooldown is applied to both main package and dependencies

[MikeMcQuaid]

Yes, let's add there too.

Though this may want to wait for bump support, i.e. #21888, so that the cooldown is applied to both main package and dependencies

Let's not. Let's not perfect be the enemy of good here.

[MikeMcQuaid]

@cho-m thanks: #21920

[storopoli]

Sorry about the notification noise, but thank you for this change :)