chore(deps): enforce 24h minimum release age (#13998)

Author: james-elicx

.github/dependabot.yml

@@ -10,6 +10,10 @@ updates:
       day: "sunday"
       time: "06:00"
     versioning-strategy: increase
+    # Match the 24h minimumReleaseAge enforced by pnpm in pnpm-workspace.yaml
+    # so Dependabot doesn't open PRs that CI will then reject.
+    cooldown:
+      default-days: 1
     # the following is used to add the [C3] prefix to the PR title,
     # we override the commit message but setting a prefix like this
     # makes it so that also the PR title gets such prefix

packages/mock-npm-registry/src/index.ts

@@ -76,6 +76,24 @@ export async function startMockNpmRegistry(...targetPackages: string[]) {
 		"npm_config_registry",
 		`http://localhost:${registryPort}`
 	);
+	// `pnpm run` exports `npm_config_minimum_release_age` from the workspace
+	// pnpm-workspace.yaml to subprocess env vars, but does NOT export the
+	// matching `minimumReleaseAgeExclude` array. Tests using this mock registry
+	// install freshly-published first-party packages, so the 24h cooldown would
+	// reject them. Set the exclude list as a comma-separated env var so the
+	// constraint still applies to other (third-party) deps pulled via uplinks.
+	const revert_npm_config_minimum_release_age_exclude = overrideProcessEnv(
+		"npm_config_minimum_release_age_exclude",
+		[
+			...pkgs.keys(),
+			// workerd and @cloudflare/workers-types are pulled in transitively
+			// (e.g. via miniflare) and may have been bumped same-day. Keep this
+			// list in sync with `minimumReleaseAgeExclude` in pnpm-workspace.yaml.
+			"workerd",
+			"@cloudflare/workerd-*",
+			"@cloudflare/workers-types",
+		].join(",")
+	);
 
 	if (debugLog.enabled) {
 		debugLog("Updated");
@@ -105,6 +123,7 @@ export async function startMockNpmRegistry(...targetPackages: string[]) {
 		revert_NPM_CONFIG_USERCONFIG();
 		revert_npm_config_registry();
 		revert_npm_config_userconfig();
+		revert_npm_config_minimum_release_age_exclude();
 		if (debugLog.enabled) {
 			debugLog("After");
 			debugLog(execSync("pnpm config list", { encoding: "utf8" }));

pnpm-workspace.yaml

@@ -30,6 +30,20 @@ gitChecks: false
 # URLs. Only direct dependencies may use exotic sources.
 blockExoticSubdeps: true
 
+# Require packages to be at least 24 hours old before they can be installed.
+# This mitigates supply-chain attacks where a malicious version is published and
+# yanked quickly, by ensuring there is a window for detection before adoption.
+# Value is in minutes (1440 = 24 hours).
+minimumReleaseAge: 1440
+
+# First-party Cloudflare packages are exempt from the cooldown so they can be
+# adopted same-day.
+minimumReleaseAgeExclude:
+  - "workerd"
+  # Platform-specific workerd binaries published in lock-step with workerd.
+  - "@cloudflare/workerd-*"
+  - "@cloudflare/workers-types"
+
 # ──────────────────────────────────────────────────────────────────────────────
 # Build scripts
 # pnpm 10 blocks lifecycle scripts by default. Only the packages listed here