chore: Configure npmMinimalAgeGate quarantine window

[michaelsmueller]

Type	Ticket
Chore	OFFP-262

Problem

No protection against freshly-published malicious packages. Same-day supply chain attacks (e.g., axios@1.14.1 pulling in malicious plain-crypto-js) can enter the dependency tree immediately.

Solution

Add npmMinimalAgeGate: 7d to .yarnrc.yml. Yarn will refuse to resolve any package version published less than 7 days ago. No lockfile or runtime changes — only affects future dependency resolution.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added npmMinimalAgeGate: 7d to .yarnrc.yml, introducing a 7-day age constraint used during npm package selection for dependency resolution; no other Yarn settings were modified.

Changes

Cohort / File(s)	Summary
Yarn Configuration \.yarnrc.yml	Added npmMinimalAgeGate: 7d setting to require npm packages be at least seven days old during resolution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• chore: Update Yarn to 4.13.0 and harden .yarnrc.yml #249: Modifies the same .yarnrc.yml configuration file with related Yarn settings updates.

Suggested labels

Ready for Review

Suggested reviewers

• callum-hyland
• garlab
• jdrskr

Poem

🐰 Seven days of waiting, wise and spry,
I nibble carrots as versions fly by,
A gentle gate to keep surprises light,
Packages aged, and tests sleep tight,
Hooray for yarns that hop just right! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and concisely describes the main change: configuring the npmMinimalAgeGate setting in Yarn configuration to add a 7-day quarantine window for npm packages.
Description check	✅ Passed	The PR description follows the template structure with Type and Ticket, clearly explains the problem (supply chain attack risk), solution (7-day age gate), and mentions no lockfile/runtime changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/offp-262-npm-minimal-age

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.yarnrc.yml (1)

9-9: Consider the operational trade-offs of the 7-day quarantine window.

While npmMinimalAge: 7d effectively mitigates same-day supply chain attacks, it also delays access to legitimate updates including potential security patches for 7 days. Consider establishing a process for emergency dependency updates (e.g., temporarily disabling the constraint or using yarn up with explicit overrides) when critical patches are released.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.yarnrc.yml at line 9, npmMinimalAge: 7d enforces a 7-day quarantine which
reduces same-day supply chain risk but blocks urgent patches; update the repo's
operational guidance and CI to support emergency dependency updates by (1)
documenting a runbook that describes when to bypass npmMinimalAge and the
approval process, (2) adding a sanctioned emergency procedure using "yarn up"
with explicit package@version overrides or temporarily disabling the
npmMinimalAge setting, and (3) adding a guarded CI flag or repo secret (e.g.,
EMERGENCY_DEP_UPGRADE=true) that the update workflow checks before allowing
bypass so emergency fixes can be applied safely while keeping the 7-day default
in place.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.yarnrc.yml:
- Line 9: Rename the incorrect config key npmMinimalAge to npmMinimalAgeGate and
change its value from the string/duration format to an integer representing
minutes; specifically replace npmMinimalAge: "7d" (or npmMinimalAge: 7d) with
npmMinimalAgeGate: 10080 so Yarn recognizes the key and the 7-day (7×24×60)
quarantine window.

---

Nitpick comments:
In @.yarnrc.yml:
- Line 9: npmMinimalAge: 7d enforces a 7-day quarantine which reduces same-day
supply chain risk but blocks urgent patches; update the repo's operational
guidance and CI to support emergency dependency updates by (1) documenting a
runbook that describes when to bypass npmMinimalAge and the approval process,
(2) adding a sanctioned emergency procedure using "yarn up" with explicit
package@version overrides or temporarily disabling the npmMinimalAge setting,
and (3) adding a guarded CI flag or repo secret (e.g.,
EMERGENCY_DEP_UPGRADE=true) that the update workflow checks before allowing
bypass so emergency fixes can be applied safely while keeping the 7-day default
in place.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4a625bbd-d77c-46de-afa3-afe222b11ee4

📥 Commits

Reviewing files that changed from the base of the PR and between 6723530 and 6aa292c.

📒 Files selected for processing (1)

• .yarnrc.yml