feat: set default minimumReleaseAge to 1 day (1440 minutes)

[sotanengel]

Motivation: Recent Supply Chain Attacks

This change is motivated by a wave of confirmed supply chain attacks in 2025–2026:

Incident	Date	Impact
Shai-Hulud npm Worm	Sep 2025	200+ npm packages compromised via stolen GitHub tokens; secrets exfiltrated from CI/CD
Trivy GitHub Actions Compromise	Mar 2026	Build pipeline of the popular security scanner hijacked; malicious script injection risk
Polyfill.io Domain Hijack	Ongoing	Domain acquisition used to distribute malicious JS to 100,000+ websites
axios npm Compromise	Mar 2026	Maintainer account takeover; RAT-infected version published

Key finding: According to Andrew Nesbitt's research, 8 out of 10 recent supply chain attacks were detected and removed within 1 week of publication. A cooldown period would have blocked most of them automatically.

What This PR Does

Sets the default minimumReleaseAge to 1440 minutes (1 day = 24 × 60).

• Before: packages are installable immediately after publishing
• After: packages must be at least 1 day old before they can be installed by default
• Opt-out: users can set minimumReleaseAge: 0 in pnpm-workspace.yaml to restore the previous behavior

Compliance Alignment

• NIST Cybersecurity Framework (CSF) 2.0 — Emphasizes Supply Chain Risk Management (C-SCRM) as a core function
• CISA: Securing the Software Supply Chain — Official US government roadmap recommending proactive dependency vetting

References

• https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html
• https://zenn.dev/dely_jp/articles/supply-chain-kowai

[Copilot]

Pull request overview

Sets a non-zero default for pnpm’s “cooldown” security feature so newly published package versions are not immediately eligible for installation unless users opt out.

Changes:

• Set the default minimum-release-age config value to 4320 minutes (3 days).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sotanengel]

Addressed the Copilot review feedback in commit 5fe0f86:

1. Missing Changeset: Added .changeset/default-minimum-release-age.md with minor bumps for @pnpm/config.reader and pnpm.

2. Test Coverage: Added two tests in config/reader/test/index.ts:

   • Verifies minimumReleaseAge defaults to 4320 (3 days)
   • Verifies users can override it to 0 via .npmrc using the correct kebab-case key minimum-release-age=0

3. Docs key format: The PR description used camelCase; the correct opt-out in .npmrc is minimum-release-age=0 (kebab-case), which is also confirmed by the new test.

[zkochan]

That's a major change.

[zkochan]

We could ship it in v11. However, the biggest problem is that the publish time of a package is only available in the non-abbreviated package document. This document is much bigger than he abbreviated one. Hence, this change would make installation slower.

[sotanengel]

Thanks for the feedback! Updated the changeset to major.
I'd like to target this for v11 as you suggested — is there a v11 branch I should base this PR on?

[zkochan]

Poll results show that most of the users want some delay: https://x.com/pnpmjs/status/2039099810943304073

[sotanengel]

Thanks. Let me know if you’d like me to make any follow-up changes from my side🙇

[welcome]

Congrats on merging your first pull request! 🎉🎉🎉

[mbtools]

I understand that recent events have triggered this but imho changing this default is a VERY BAD idea.

It effectively blocks all patches of all known security issues for everyone for 24 hours vs. blocking still relatively rare supply chain attacks that impact some projects some of the time. This puts every project using pnpm 11 at an exponentially greater risk at all times!

It's nice that the setting exists but it must remain off by default.

Reverse this, please 🙏

[zkochan]

This is a setting that you can change to your personal liking. The default value of the setting was decided by a vote, where the majority wanted some delay by default.

[mbtools]

Please refer me to the voting results? Who voted?

[zkochan]

The poll was referenced in my message above: https://x.com/pnpmjs/status/2039099810943304073

[mbtools]

I love pnpm but this choice is bonkers.

600 "people" on xwitter is what should represent the community? and no background information given to the "voters"? sorry, but lol.

Malicious actors will have a blast. They can simply scan repos for pnpm-workspace.yaml and the missing minimumReleaseAge: 0 setting. Then pick any vuln in the deps and have a guaranteed 24 hours to attack with a high rate of success. That's the opposite of "security by default".

I'm fairly certain that we will regret this change. Good luck

[zkochan]

Your style of communication is unprofessional. Hence, I don't feel motivated to discuss this matter with you.