From 08bbe4daa579c181f12c3cb7209c288c4b90585e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Benoit?= <jerome.benoit@piment-noir.org>
Date: Tue, 26 May 2026 20:25:24 +0200
Subject: [PATCH 1/2] ci(renovate): enforce 3-day minimum release age for npm
 packages

Extend the Renovate config with the official 'security:minimumReleaseAgeNpm'
preset so that Renovate waits 3 days after publication before creating PRs
for any npm/pnpm dependency. This adds a buffer against unpublished or
freshly-broken releases (e.g. malicious packages, npm unpublish window,
transient registry/lockfile resolution issues).
---
 renovate.json | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/renovate.json b/renovate.json
index e3cfe0e..f6ed404 100644
--- a/renovate.json
+++ b/renovate.json
@@ -6,11 +6,14 @@
     ":configMigration",
     "group:allNonMajor",
     "schedule:daily",
-    ":maintainLockFilesWeekly"
+    ":maintainLockFilesWeekly",
+    "security:minimumReleaseAgeNpm"
   ],
   "packageRules": [
     {
-      "matchFileNames": ["**/package.json"],
+      "matchFileNames": [
+        "**/package.json"
+      ],
       "matchDepTypes": [
         "dependencies",
         "devDependencies",

From 53967fbeab11aa284215adb49cf89e5ccf5d5052 Mon Sep 17 00:00:00 2001
From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com>
Date: Tue, 26 May 2026 18:25:57 +0000
Subject: [PATCH 2/2] [autofix.ci] apply automated fixes

---
 renovate.json | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/renovate.json b/renovate.json
index f6ed404..ded9cdb 100644
--- a/renovate.json
+++ b/renovate.json
@@ -11,9 +11,7 @@
   ],
   "packageRules": [
     {
-      "matchFileNames": [
-        "**/package.json"
-      ],
+      "matchFileNames": ["**/package.json"],
       "matchDepTypes": [
         "dependencies",
         "devDependencies",