dev: add minimum dependency age of 72h against supply chain attacks

lucas-koehler · lucas-koehler · commit 7e4a8b68a6af · 2026-05-18T10:53:34.000+02:00
Reduce the risk of installing malicious packages when upgrading dependency versions
by only allowing package versions published at least 72h ago.
As most malicious packages are discovered and blocked within this time,
this reduces the risk of accidentally installing them.
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -1,2 +1,6 @@
 packages:
   - 'packages/*'
+# The minimum age of dependency versions to be installed in minutes. 4320 minutes is 72h.
+# This is to avoid supply chain attacks where a new version of a dependency is published with malicious code.
+minimumReleaseAge: 4320
+minimumReleaseAgeIgnoreMissingTime: false
