[AI] Add npm minimal age gate for supply-chain defense

[MatissJanis]

Description

Extra protection when we are doing dependency upgrades.

Plus should make the upgrade ergonomics slightly better as we won't need to manually check the release date for the version bumps.

Related issue(s)

n/a

Testing

N/A

Checklist

• Release notes added (see link above)
• No obvious regressions in affected areas
• Self-review has been performed - I understand what each change in the code does and why it is needed

https://claude.ai/code/session_01SVxxPz4Ku8GmkYzTLrLQWo

[netlify]

✅ Deploy Preview for actualbudget ready!

Name	Link
🔨 Latest commit	d61d0e5
🔍 Latest deploy log	https://app.netlify.com/projects/actualbudget/deploys/6a1c99eaa92927000851be2a
😎 Deploy Preview	https://deploy-preview-8011.demo.actualbudget.org
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1aae0543-bd77-4f6f-87b1-d584551fc449

📥 Commits

Reviewing files that changed from the base of the PR and between 000d957 and d61d0e5.

📒 Files selected for processing (2)

• .yarnrc.yml
• upcoming-release-notes/8011.md

---

📝 Walkthrough

Walkthrough

A Yarn configuration update enforces a 3-day minimum age gate for npm package versions to reduce supply-chain attack risk, paired with a release notes entry documenting this maintenance change.

Changes

Supply-chain Hardening

Layer / File(s)	Summary
Supply-chain protection via npm minimal age gate .yarnrc.yml, upcoming-release-notes/8011.md	Yarn configuration adds npmMinimalAgeGate: '3d' with comments explaining supply-chain protection intent; release notes document this as maintenance work to harden against attacks.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

size small

Suggested reviewers

• matt-fidd
• jfdoming

Poem

🐰 A carrot freshly picked, not plucked too soon,
Three days aged to perfection, like a fine bamboo tune,
Supply chains fortified, with caution's gentle gate,
The Yarn config stands guard—better safe than late! 🌾✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding an npm minimal age gate for supply-chain defense, which is directly reflected in the changeset modifications to .yarnrc.yml and release notes.
Description check	✅ Passed	The description is related to the changeset, explaining the purpose of the npm minimal age gate for supply-chain protection and improved upgrade ergonomics, matching the changes in configuration and release notes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/festive-ptolemy-yoZ36

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[StephenBrown2]

3 days is a start; a week or a month is probably better, IMHO.

[MatissJanis]

3 days is a start; a week or a month is probably better, IMHO.

A too long of a time period is also bad as then we cannot do timely upgrades for CVEs. There has to be a equilibrium that protects us from zero days, but also doesn't cripple us entirely.

Also to note: realistically this only impacts edge users. People on stable versions would generally get 7+ days old dependencies.