From a62dec7560c10bc8637b5ae13644db82aa165406 Mon Sep 17 00:00:00 2001
From: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
Date: Fri, 12 Jun 2026 22:26:13 +0200
Subject: [PATCH] chore(dependabot): add release-age cooldown to npm updates

CI installs the latest pnpm, which enforces a default 24h minimumReleaseAge supply-chain gate on the lockfile. Dependabot opens npm bumps the same day a version is published, so the resulting PRs fail CI with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION (e.g. lucide-react 1.18.0 in #283).

Add a 3-day cooldown to the /ui and /admin npm update configs so Dependabot waits until a release has aged past the gate before opening a PR. This keeps the supply-chain protection intact while avoiding PRs that are doomed to fail.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 .github/dependabot.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 79fd90a..23cac2f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -25,6 +25,12 @@ updates:
       interval: "daily"
     versioning-strategy: "increase"
     open-pull-requests-limit: 30
+    # Wait until a release has aged before opening a PR. CI installs the
+    # latest pnpm, which enforces a 24h minimumReleaseAge supply-chain gate on
+    # the lockfile; opening PRs sooner just produces runs that fail that gate.
+    # The cooldown keeps the protection and avoids the doomed PRs.
+    cooldown:
+      default-days: 3
     groups:
       dev-dependencies:
         dependency-type: "development"
@@ -39,6 +45,10 @@ updates:
       interval: "daily"
     versioning-strategy: "increase"
     open-pull-requests-limit: 30
+    # See the /ui config above: cooldown clears pnpm's 24h minimumReleaseAge
+    # supply-chain gate so Dependabot doesn't open PRs that are sure to fail CI.
+    cooldown:
+      default-days: 3
     groups:
       dev-dependencies:
         dependency-type: "development"