chore(dependabot): add release-age cooldown to npm updates

[SamTV12345]

Why

CI installs the latest pnpm (build.yml: npm install -g pnpm@latest), which is newer than the repo's pinned pnpm@11.5.2 and enforces a default 24h minimumReleaseAge supply-chain gate on the lockfile. Dependabot opens npm bumps the same day a version is published, so those PRs fail CI with:

ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION
  lucide-react@1.18.0 was published at ..., within the minimumReleaseAge cutoff

(seen on #283 — lucide-react 1.17.0 → 1.18.0).

What

Add a 3-day cooldown to the /ui and /admin npm update configs so Dependabot waits until a release has aged past the gate before opening a PR. This:

• Keeps the supply-chain protection (the 24h gate stays on).
• Stops the doomed-from-the-start PRs that can never pass CI on publish day.

Only the npm ecosystems feed pnpm-lock.yaml, so the gate doesn't affect the github-actions/docker/gomod configs — they're left unchanged.

🤖 Generated with Claude Code

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[qodo-free-for-open-source-projects]

PR Summary by Qodo

Dependabot: add 3-day cooldown to npm updates to avoid pnpm release-age CI failures
⚙️ Configuration changes 🕐 Less than 10 minutes

Walkthroughs

Description

• Add a 3-day Dependabot cooldown for /ui npm updates to clear pnpm release-age gate.
• Add the same cooldown for /admin npm updates to prevent publish-day CI failures.

Diagram

graph TD
  D["Dependabot (npm)"] --> C["cooldown: 3 days"] --> P["Update PR"] --> CI["CI build"] --> PN["pnpm@latest"] --> G{"minimumReleaseAge OK?"}
  G -->|"Yes"| PASS["Lockfile accepted"]
  G -->|"No"| FAIL["ERR_PNPM_MINIMUM_RELEASE_AGE"]

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Pin pnpm in CI to the repo’s pinned version

• ➕ Eliminates version skew between CI and local installs
• ➕ Avoids unexpected behavior changes from pnpm@latest
• ➖ Does not preserve the newer pnpm supply-chain defaults if desired
• ➖ Requires keeping CI pnpm version in sync as part of upgrades

2. Configure pnpm minimumReleaseAge explicitly (project/CI)

• ➕ Makes the release-age policy intentional and transparent
• ➕ Allows fine-grained control (e.g., 0h/24h/72h) independent of pnpm version
• ➖ May reduce protection if set lower than pnpm’s default
• ➖ Requires identifying the right config surface and ensuring CI respects it

3. Reduce Dependabot frequency (e.g., weekly) for npm ecosystems

• ➕ Naturally avoids publish-day updates without adding special logic
• ➕ Fewer PRs overall
• ➖ Slower security/bugfix uptake than daily updates
• ➖ Less targeted than a cooldown (delays even older releases)

Recommendation: The chosen cooldown is a pragmatic, low-risk fix because it preserves pnpm’s minimumReleaseAge gate while preventing PRs that cannot pass CI on publish day. If CI stability issues persist due to pnpm@latest drift, consider also pinning pnpm in CI to match the repo’s pinned version.

File Changes

Other (1)

dependabot.yml Add 3-day cooldown to npm update configs for /ui and /admin +10/-0

Add 3-day cooldown to npm update configs for /ui and /admin

• Introduces a Dependabot cooldown (default 3 days) for the /ui and /admin npm ecosystems. Adds inline rationale tying the delay to pnpm’s minimumReleaseAge gate to avoid publish-day CI failures.

.github/dependabot.yml

---