chore: min age for dependencies

[leonardmq]

What does this PR do?

Add exclude-newer in pyproject.toml files so that uv add installs dependencies not newer than a certain age (7 days) to decrease the risk of installing attacked deps.

Also added min-release-age to do the same for npm i - the flag is relatively recent in npm, so you need npm >= 11.x. Update your npm with npm install -g npm@latest.

You also need to run uv sync.

Checklists

• Tests have been run locally and passed
• New tests have been added to any work in /lib

Summary by CodeRabbit

• Chores
  • Updated dependency management configuration to exclude package versions newer than 7 days, enhancing stability across Python and Node.js environments.
  • Updated test framework configuration settings for improved test execution behavior.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0571088f-04b2-494f-9716-4f7b22fb6c8c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Configuration updates applied across package management and testing tools. Python projects receive exclude-newer = "7 days" under [tool.uv] to constrain dependency versions. npm configuration adds release-age constraint. pytest.ini syntax adjusted for asyncio loop scope configuration.

Changes

Cohort / File(s)	Summary
UV Dependency Constraints app/desktop/pyproject.toml, libs/core/pyproject.toml, libs/server/pyproject.toml, pyproject.toml	Added [tool.uv] configuration with exclude-newer = "7 days" to constrain dependency resolution to versions no newer than 7 days old.
NPM Release Age app/web_ui/.npmrc	Added min-release-age=7 setting to enforce minimum 7-day release age for npm packages.
Pytest Asyncio Configuration pytest.ini	Changed asyncio_default_fixture_loop_scope from quoted string "function" to unquoted token function for proper configuration parsing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 With version pins and timespan bounds,
We tame the package update rounds!
Seven days of waiting here,
Keeps our dependencies crystal clear.
Fresh but stable, tried and tested—
Our configs now well-invested! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: min age for dependencies' is clear and directly summarizes the main change, which is adding minimum age constraints for dependencies across multiple package managers.
Description check	✅ Passed	The PR description covers the main objectives and includes the required checklist with both items checked, though it omits the 'Related Issues' section from the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch leonard/kil-513-chore-min-age-for-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​anyio@​4.10.0 ⏵ 4.13.0	+1
	pypi/​certifi@​2026.2.25
	pypi/​boto3@​1.37.10 ⏵ 1.42.78

View full report

[leonardmq]

Not ideal - it updated all the existing dependencies

[github-actions]

📊 Coverage Report

Overall Coverage: 92%

Diff: origin/main...HEAD

No lines with coverage information in this diff.

---

• 📊 HTML Coverage Report - Interactive coverage report
• 📈 Diff Coverage Report - Detailed diff analysis
• Github Actions Run - View the full coverage report

[gemini-code-assist]

Code Review

This pull request implements dependency age constraints by adding exclude-newer to uv configurations and min-release-age to npm settings. It also removes peer dependency flags from package-lock.json and adjusts the asyncio fixture scope in pytest.ini. Feedback indicates that the npm min-release-age value is incorrectly set to 7 seconds instead of 7 days, and the [tool.uv] settings in workspace member files are redundant as they are inherited from the root configuration.