# Dependency cooldown: never resolve an npm version published within the
# last 7 days, so a compromised or yanked release has a window to surface
# before it is pinned. This is the npm mirror of the Python-side cooldown
# in uv.toml (`exclude-newer = "P7D"`).
#
# Applied at RESOLUTION time (`npm install` / lockfile regen); `npm ci`
# just installs the already-cooled lockfile. Value is in DAYS.
#
# Requires npm >= 11.10.0 — `min-release-age` landed there. An older npm
# silently ignores this key, so the lockfile-regen workflows
# (`oss-regenerate-and-smoke.yml`, `oss-regen-on-comment.yml`) install a
# new-enough npm before regenerating; that workflow, not this file, is the
# real enforcement point.
min-release-age=7
