Add pnpm minimum release age guard for newly published packages

[Copilot]

Add a project-level pnpm config to avoid consuming freshly published packages immediately. This sets a 7-day release-age threshold before newly published versions are considered eligible.

• Package manager policy

  • Add a root .npmrc with pnpm’s minimum-release-age setting.
  • Set the threshold to 10080 minutes, which corresponds to 7 days.

• Repo-level scope

  • Apply the policy at the repository root so it covers workspace installs and dependency updates consistently.
  • Keep the change isolated to package manager configuration; no application or dependency changes are included.

• Config

  # Wait 7 days (10080 minutes) before using newly released packages
  minimum-release-age=10080

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
nusmods-export	Ignored	Preview	May 24, 2026 7:53am
nusmods-website	Ignored	Preview	May 24, 2026 7:53am

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.40%. Comparing base (988c6fd) to head (4ede696).
⚠️ Report is 235 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4380      +/-   ##
==========================================
+ Coverage   54.52%   56.40%   +1.88%     
==========================================
  Files         274      317      +43     
  Lines        6076     6962     +886     
  Branches     1455     1679     +224     
==========================================
+ Hits         3313     3927     +614     
- Misses       2763     3035     +272     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ravern]

@greptileai review

[greptile-apps]

Greptile Summary

This PR adds a root-level .npmrc with pnpm's minimum-release-age=10080 setting, introducing a 7-day delay before newly published packages are eligible for installation — a supply-chain security hardening measure.

• The value and unit (10080 minutes = 7 days) are correct, and the setting is recognized by pnpm on 10.x via .npmrc.
• The canonical location for minimumReleaseAge since pnpm 11 is pnpm-workspace.yaml; the repo already has that file and could host this setting there to avoid a future migration.

Confidence Score: 4/5

Safe to merge — the only concern is that .npmrc is not the preferred config file for this setting and may stop working in pnpm 11+.

The change is a one-liner config addition with correct value and unit. It achieves its supply-chain goal on pnpm 10.x, but the .npmrc placement diverges from the canonical pnpm-workspace.yaml home that pnpm 11 requires, creating a latent migration cost.

.npmrc — the setting works here on pnpm 10.x but will need to move to pnpm-workspace.yaml when upgrading to pnpm 11.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pnpm install / pnpm add] --> B{Read .npmrc\nminimum-release-age=10080}
    B --> C[Resolve dependency versions]
    C --> D{For each candidate version\ncheck publish timestamp}
    D --> E{Age >= 10080 min\n7 days?}
    E -- Yes --> F[Version eligible\nfor installation]
    E -- No --> G[Version skipped\ntoo new]
    G --> H{Older version\navailable?}
    H -- Yes --> I[Fall back to older\neligible version]
    H -- No --> J[Installation blocked\nuntil age threshold met]
    F --> K[Lockfile updated &\npackages installed]
    I --> K

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.npmrc:2
**Consider moving this to `pnpm-workspace.yaml`**

The pnpm docs list `minimumReleaseAge` exclusively under the `pnpm-workspace.yaml` settings reference. The `.npmrc` kebab-case form (`minimum-release-age`) works on pnpm 10.x but is not recognized starting from pnpm 11. Since the repo already has a `pnpm-workspace.yaml`, adding `minimumReleaseAge: 10080` there is the canonical approach and will survive a future pnpm major-version upgrade without any follow-up change.

_{Reviews (1): Last reviewed commit: "chore: add minimum package release age c..." | Re-trigger Greptile}

[ravern]

Approved. The repo is pinned to pnpm@10.30.3 via packageManager, and the .npmrc minimum-release-age setting is valid for the pinned pnpm version.

[greptile-apps]

PR author is not in the allowed authors list.