chore(deps): set pnpm minimumReleaseAge to 3 days (fixes DOC-315)

[scopsy]

What

Adds a pnpm-workspace.yaml with minimumReleaseAge: 4320 (3 days, in minutes), and bumps CI to pnpm v10 so the setting is actually honored there.

minimumReleaseAge: 4320

Why

minimumReleaseAge (pnpm docs) tells pnpm to refuse to install any package version (direct or transitive) that has been published to the registry less than the specified number of minutes ago.

Most malicious package releases (typo-squats, compromised maintainer accounts, supply-chain attacks like the recent chalk/debug/shai-hulud incidents) are detected and yanked from the npm registry within hours. A 3-day delay means installs in this repo will not pull in such releases during the high-risk window immediately after publication.

This is a "free" hardening — it requires no code changes and only causes friction when intentionally upgrading to a brand-new release.

Why a separate pnpm-workspace.yaml instead of package.json

pnpm only reads minimumReleaseAge from pnpm-workspace.yaml or .npmrc. It is not honored when placed under the pnpm field of package.json (only a fixed allow-list of settings like overrides, packageExtensions, patchedDependencies, etc. are read from there). Verified locally — see test notes below.

CI bump

The PR checks workflow was previously pinned to pnpm v9, which:

1. Doesn't support minimumReleaseAge at all (added in v10.16.0), so the setting would have been silently ignored on CI installs.
2. Errors on a pnpm-workspace.yaml that omits the packages field (ERR_PNPM_NO_PKG_MANIFEST … packages field missing or empty).

Bumped pnpm/action-setup from v2 → v4 and version: 9 → version: 10, which matches the local development version (pnpm 10.30.3). pnpm v10+ treats pnpm-workspace.yaml as config-only when packages is omitted.

Notes

• minimumReleaseAge was added in pnpm v10.16.0; the repo (and now CI) uses pnpm v10.x, so it is supported.
• pnpm v10 default for unconfigured minimumReleaseAgeStrict is "on when the user explicitly configures minimumReleaseAge" — so if a transitive dep has no version older than 3 days that satisfies its range, install will fail with a clear error rather than silently falling back. That is the desired behavior.

Testing

1. Local: ran pnpm install with the new config — succeeds (lockfile already satisfies the constraint, since all currently locked versions are well over 3 days old).
2. Local: to confirm pnpm actually reads the setting from pnpm-workspace.yaml, temporarily replaced it with minimumReleaseAge: 525600000 + minimumReleaseAgeStrict: true and ran pnpm add -D is-odd@latest. pnpm correctly rejected with ERR_PNPM_NO_MATCHING_VERSION (no version is younger than ~1000 years). Restored the file afterwards.
3. CI: Build and Lint workflow passes after the pnpm-version bump (previous failure was the pnpm v9 incompatibility described above).

Slack Thread

  

[linear-code]

DOC-315

[netlify]

✅ Deploy Preview for docs-novu ready!

Name	Link
🔨 Latest commit	78d11d6
🔍 Latest deploy log	https://app.netlify.com/projects/docs-novu/deploys/6a02ae0621d4230008b69054
😎 Deploy Preview	https://deploy-preview-1091--docs-novu.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Rate limit exceeded

@scopsy has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 6 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c591d8ca-5a96-4bd6-9576-47a1c552dbc1

📥 Commits

Reviewing files that changed from the base of the PR and between f855754 and 78d11d6.

📒 Files selected for processing (2)

• .github/workflows/pr-checks.yml
• pnpm-workspace.yaml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}