From 9213d441835bb01d53ba26b44dbda4c8780c5aa1 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 16 Jun 2026 23:29:15 +0000
Subject: [PATCH] fix: enforce 72h supply-chain age gate and align dependabot
 schedule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add frontend/.npmrc with minimum-release-age=259200000 (72h in ms) so
pnpm actually enforces the intended policy — the pnpm-workspace.yaml
value was silently ignored by pnpm v11, leaving only the 24h default.

Pin all three dependabot ecosystems to Monday 09:00 so packages proposed
each week will naturally be 72h+ old before any PR is reviewed and merged,
reducing collisions with the release-age gate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011SHcSyxENTaQ1U4CsyKGRb
---
 .github/dependabot.yml | 6 ++++++
 frontend/.npmrc        | 1 +
 2 files changed, 7 insertions(+)
 create mode 100644 frontend/.npmrc

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index afac372..c61c584 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: /backend
     schedule:
       interval: weekly
+      day: monday
+      time: "09:00"
     open-pull-requests-limit: 5
     labels:
       - dependencies
@@ -29,6 +31,8 @@ updates:
     directory: /frontend
     schedule:
       interval: weekly
+      day: monday
+      time: "09:00"
     open-pull-requests-limit: 5
     labels:
       - dependencies
@@ -54,6 +58,8 @@ updates:
     directory: /
     schedule:
       interval: weekly
+      day: monday
+      time: "09:00"
     labels:
       - dependencies
       - github-actions
diff --git a/frontend/.npmrc b/frontend/.npmrc
new file mode 100644
index 0000000..a65c06a
--- /dev/null
+++ b/frontend/.npmrc
@@ -0,0 +1 @@
+minimum-release-age=259200000