# Enforce Node.js version requirements from package.json engines field
engine-strict=true

# Security: Prevent automatic execution of install scripts
# Protects against supply-chain attacks like Shai-Hulud
# Packages requiring scripts must be manually rebuilt with: pnpm rebuild <package-name>
ignore-scripts=true

# Security: Delay installation of newly published packages
# Allows time for community detection of malicious releases
# 10080 minutes = 7 days (provides strong protection against supply chain attacks)
# https://daniakash.com/posts/simplest-supply-chain-defense/
minimum-release-age=10080
minimum-release-age-exclude[]=lodash-es
# Security fixes flagged by Docker Scout that land inside the 7-day window.
# Each is time-sensitive, so we accept the fresher version to unblock scanning.
# CVE-2026-33806 fixed in fastify 5.8.5 (2026-04-14)
minimum-release-age-exclude[]=fastify
# CVE-2026-41242 fixed in protobufjs 7.5.5 (2026-04-15)
minimum-release-age-exclude[]=protobufjs
# CVE-2026-33805 fixed in @fastify/http-proxy 11.4.4 (2026-04-15)
minimum-release-age-exclude[]=@fastify/http-proxy
# CVE-2026-33805 fixed in @fastify/reply-from 12.6.2 (2026-04-15)
minimum-release-age-exclude[]=@fastify/reply-from
# GHSA-xr8f-h2gw-9xh6 fixed in @better-auth/oauth-provider 1.6.5 (2026-04-16).
# The whole better-auth stack must move together or type inference breaks.
minimum-release-age-exclude[]=@better-auth/oauth-provider
minimum-release-age-exclude[]=@better-auth/core
minimum-release-age-exclude[]=@better-auth/api-key
minimum-release-age-exclude[]=@better-auth/sso
minimum-release-age-exclude[]=better-auth
minimum-release-age-exclude[]=@better-auth/drizzle-adapter
# CVE-2026-45109 (auth bypass) + 6 other HIGH CVEs fixed in next 16.2.6 (2026-05-07).
# The @next/swc-* platform binaries and @next/env are republished on the same day.
minimum-release-age-exclude[]=next
minimum-release-age-exclude[]=@next/env
minimum-release-age-exclude[]=@next/swc-darwin-arm64
minimum-release-age-exclude[]=@next/swc-darwin-x64
minimum-release-age-exclude[]=@next/swc-linux-arm64-gnu
minimum-release-age-exclude[]=@next/swc-linux-arm64-musl
minimum-release-age-exclude[]=@next/swc-linux-x64-gnu
minimum-release-age-exclude[]=@next/swc-linux-x64-musl
minimum-release-age-exclude[]=@next/swc-win32-arm64-msvc
minimum-release-age-exclude[]=@next/swc-win32-x64-msvc
# CVE-2026-44902 fixed across the @opentelemetry/* SDK family at 0.217.0 (2026-05-06)
# plus @opentelemetry/auto-instrumentations-node 0.75.0. Direct backend deps:
minimum-release-age-exclude[]=@opentelemetry/api-logs
minimum-release-age-exclude[]=@opentelemetry/auto-instrumentations-node
minimum-release-age-exclude[]=@opentelemetry/exporter-logs-otlp-http
minimum-release-age-exclude[]=@opentelemetry/exporter-trace-otlp-http
minimum-release-age-exclude[]=@opentelemetry/exporter-prometheus
minimum-release-age-exclude[]=@opentelemetry/otlp-exporter-base
minimum-release-age-exclude[]=@opentelemetry/sdk-logs
minimum-release-age-exclude[]=@opentelemetry/sdk-node
# Transitive packages republished on 2026-05-06 alongside the family above:
minimum-release-age-exclude[]=@opentelemetry/configuration
minimum-release-age-exclude[]=@opentelemetry/exporter-logs-otlp-grpc
minimum-release-age-exclude[]=@opentelemetry/exporter-logs-otlp-proto
minimum-release-age-exclude[]=@opentelemetry/exporter-metrics-otlp-grpc
minimum-release-age-exclude[]=@opentelemetry/exporter-metrics-otlp-http
minimum-release-age-exclude[]=@opentelemetry/exporter-metrics-otlp-proto
minimum-release-age-exclude[]=@opentelemetry/exporter-trace-otlp-grpc
minimum-release-age-exclude[]=@opentelemetry/exporter-trace-otlp-proto
minimum-release-age-exclude[]=@opentelemetry/instrumentation
minimum-release-age-exclude[]=@opentelemetry/instrumentation-grpc
minimum-release-age-exclude[]=@opentelemetry/instrumentation-http
minimum-release-age-exclude[]=@opentelemetry/otlp-grpc-exporter-base
minimum-release-age-exclude[]=@opentelemetry/otlp-transformer
minimum-release-age-exclude[]=@opentelemetry/resource-detector-alibaba-cloud
minimum-release-age-exclude[]=@opentelemetry/resource-detector-aws
minimum-release-age-exclude[]=@opentelemetry/resource-detector-azure
minimum-release-age-exclude[]=@opentelemetry/resource-detector-container
minimum-release-age-exclude[]=@opentelemetry/resource-detector-gcp
# Instrumentation contribs bumped per the contrib release on 2026-05-06:
minimum-release-age-exclude[]=@opentelemetry/instrumentation-amqplib
minimum-release-age-exclude[]=@opentelemetry/instrumentation-aws-lambda
minimum-release-age-exclude[]=@opentelemetry/instrumentation-aws-sdk
minimum-release-age-exclude[]=@opentelemetry/instrumentation-bunyan
minimum-release-age-exclude[]=@opentelemetry/instrumentation-cassandra-driver
minimum-release-age-exclude[]=@opentelemetry/instrumentation-connect
minimum-release-age-exclude[]=@opentelemetry/instrumentation-cucumber
minimum-release-age-exclude[]=@opentelemetry/instrumentation-dataloader
minimum-release-age-exclude[]=@opentelemetry/instrumentation-dns
minimum-release-age-exclude[]=@opentelemetry/instrumentation-express
minimum-release-age-exclude[]=@opentelemetry/instrumentation-fs
minimum-release-age-exclude[]=@opentelemetry/instrumentation-generic-pool
minimum-release-age-exclude[]=@opentelemetry/instrumentation-graphql
minimum-release-age-exclude[]=@opentelemetry/instrumentation-hapi
minimum-release-age-exclude[]=@opentelemetry/instrumentation-ioredis
minimum-release-age-exclude[]=@opentelemetry/instrumentation-kafkajs
minimum-release-age-exclude[]=@opentelemetry/instrumentation-knex
minimum-release-age-exclude[]=@opentelemetry/instrumentation-koa
minimum-release-age-exclude[]=@opentelemetry/instrumentation-lru-memoizer
minimum-release-age-exclude[]=@opentelemetry/instrumentation-memcached
minimum-release-age-exclude[]=@opentelemetry/instrumentation-mongodb
minimum-release-age-exclude[]=@opentelemetry/instrumentation-mongoose
minimum-release-age-exclude[]=@opentelemetry/instrumentation-mysql
minimum-release-age-exclude[]=@opentelemetry/instrumentation-mysql2
minimum-release-age-exclude[]=@opentelemetry/instrumentation-nestjs-core
minimum-release-age-exclude[]=@opentelemetry/instrumentation-net
minimum-release-age-exclude[]=@opentelemetry/instrumentation-openai
minimum-release-age-exclude[]=@opentelemetry/instrumentation-oracledb
minimum-release-age-exclude[]=@opentelemetry/instrumentation-pg
minimum-release-age-exclude[]=@opentelemetry/instrumentation-pino
minimum-release-age-exclude[]=@opentelemetry/instrumentation-redis
minimum-release-age-exclude[]=@opentelemetry/instrumentation-restify
minimum-release-age-exclude[]=@opentelemetry/instrumentation-router
minimum-release-age-exclude[]=@opentelemetry/instrumentation-runtime-node
minimum-release-age-exclude[]=@opentelemetry/instrumentation-socket.io
minimum-release-age-exclude[]=@opentelemetry/instrumentation-tedious
minimum-release-age-exclude[]=@opentelemetry/instrumentation-undici
minimum-release-age-exclude[]=@opentelemetry/instrumentation-winston

# OpenTelemetry instrumentation requires these packages hoisted to root
public-hoist-pattern[]=*import-in-the-middle*
public-hoist-pattern[]=*require-in-the-middle*
public-hoist-pattern[]=shiki
