From 32c0beeee290ca96f5908dcea972d7de3e4e390f Mon Sep 17 00:00:00 2001
From: Yusaku Sato <y.sato@d-zero.co.jp>
Date: Thu, 2 Apr 2026 10:18:15 +0900
Subject: [PATCH 1/3] feat(repo): add 7-day cooldown period for npm package
 releases

Set npmMinimalAgeGate to 7d in .yarnrc.yml to block installation of packages

published within the last 7 days.

Set minimumReleaseAge to "7 days" and internalChecksFilter to "strict" in

renovate.json to prevent PR/branch creation until the age requirement is met.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/renovate.json | 2 ++
 .yarnrc.yml           | 1 +
 2 files changed, 3 insertions(+)

diff --git a/.github/renovate.json b/.github/renovate.json
index d3f3d01c..eb1d7cdb 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -12,6 +12,8 @@
 		"enabled": true,
 		"automerge": true
 	},
+	"minimumReleaseAge": "7 days",
+	"internalChecksFilter": "strict",
 	"autoApprove": true,
 	"labels": ["Dependencies", "Renovate"],
 	"packageRules": [
diff --git a/.yarnrc.yml b/.yarnrc.yml
index 050d9026..eca43f8c 100644
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -2,3 +2,4 @@ nodeLinker: node-modules
 npmRegistryServer: 'https://registry.npmjs.org'
 enableGlobalCache: true
 enableScripts: false
+npmMinimalAgeGate: 7d

From 173d81dd27e211d701665fa1e784ea61d9457ba2 Mon Sep 17 00:00:00 2001
From: Yusaku Sato <y.sato@d-zero.co.jp>
Date: Thu, 2 Apr 2026 11:02:10 +0900
Subject: [PATCH 2/3] fix(repo): bypass minimumReleaseAge for vulnerability
 alerts in Renovate

Add osvVulnerabilityAlerts and vulnerabilityAlerts.minimumReleaseAge: null to ensure
security vulnerability updates are not blocked by the 7-day cooldown period.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/renovate.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/renovate.json b/.github/renovate.json
index eb1d7cdb..81ad208e 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -14,6 +14,10 @@
 	},
 	"minimumReleaseAge": "7 days",
 	"internalChecksFilter": "strict",
+	"osvVulnerabilityAlerts": true,
+	"vulnerabilityAlerts": {
+		"minimumReleaseAge": null
+	},
 	"autoApprove": true,
 	"labels": ["Dependencies", "Renovate"],
 	"packageRules": [

From 81e20f45534a60451fdaf2a3e28f3cb0bcc73942 Mon Sep 17 00:00:00 2001
From: Yusaku Sato <y.sato@d-zero.co.jp>
Date: Thu, 2 Apr 2026 11:09:42 +0900
Subject: [PATCH 3/3] feat(scaffold): add 7-day cooldown period for npm package
 releases

Add npmMinimalAgeGate: 7d to scaffold .yarnrc.yml so that projects created
with create-frontend also block installation of packages published within
the last 7 days.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 packages/@d-zero/scaffold/.yarnrc.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/@d-zero/scaffold/.yarnrc.yml b/packages/@d-zero/scaffold/.yarnrc.yml
index 050d9026..eca43f8c 100644
--- a/packages/@d-zero/scaffold/.yarnrc.yml
+++ b/packages/@d-zero/scaffold/.yarnrc.yml
@@ -2,3 +2,4 @@ nodeLinker: node-modules
 npmRegistryServer: 'https://registry.npmjs.org'
 enableGlobalCache: true
 enableScripts: false
+npmMinimalAgeGate: 7d