Add NPM minimum release age of 7 days

[DougReeder]

What?

Add NPM minimum release age of 7 days

Why?

to guard against supply-side attacks

Examples

n/a

How to test

1. Ensure NPM >= v11.10.0 is installedl
2. With master branch, run npm outdated > /tmp/outdated-wo
3. Switch to this branch, run npm outdated > /tmp/outdated-with
4. run diff /tmp/outdated-wo /tmp/outdated-with Observe that now, some of the "wanted" and/or "latest" versions are lower than before.
5. For packages where the "wanted" and/or "latest" version changes, check on NPM and observe that the versions that are being excluded were released in the past week.

On April 27, I got:

 diff -b /tmp/outdated-wo /tmp/outdated-with
32d31
< copy-to-clipboard                           3.3.3    3.3.3        4.0.0  node_modules/copy-to-clipboard                         hubs
72c71
< ora                                         6.3.1    6.3.1        9.4.0  node_modules/ora                                       hubs
---
> ora                                         6.3.1    6.3.1        9.3.0  node_modules/ora                                       hubs
80c79
< react-hook-form                            7.43.9   7.73.1       7.73.1  node_modules/react-hook-form                           hubs
---
> react-hook-form                            7.43.9   7.72.1       7.72.1  node_modules/react-hook-form                           hubs
84,85c83,84
< react-router                                5.3.4    5.3.4       7.14.2  node_modules/react-router                              hubs
< react-router-dom                            5.3.4    5.3.4       7.14.2  node_modules/react-router-dom                          hubs
---
> react-router                                5.3.4    5.3.4       7.14.1  node_modules/react-router                              hubs
> react-router-dom                            5.3.4    5.3.4       7.14.1  node_modules/react-router-dom                          hubs
97c96
< stylelint                                 14.16.1  14.16.1       17.9.0  node_modules/stylelint                                 hubs
---
> stylelint                                 14.16.1  14.16.1       17.8.0  node_modules/stylelint                                 hubs

I checked on NPM, and version 7.73.1 of react-hook-form was released one week ago

Documentation of functionality

n/a

Limitations

NPM >= v11.10.0 must be installed for this to be effective

Alternative implementations considered

none

Open questions

none

Additional details or related context

none

[Exairnous]

Thank you for the PR.

Generally I think this looks good. I was able to get similar results to what you got with the testing steps.

Have you tested building/running hubs with Node 24? If that works, then we should update it in this PR and note the new version in the readme.

Do you know if this affects the Admin Panel as well?

[DougReeder]

Do you know if this affects the Admin Panel as well?

the Admin Panel requires a separate .npmrc file, which I've included in the latest commit

Have you tested building/running hubs with Node 24? If that works, then we should update it in this PR and note the new version in the readme.

Everything runs and builds fine for me with Node 24, so I've set that as the minimum.

[Exairnous]

Aside from the one inline comment, the test-and-deploy-storybook workflow fails with this PR when I pushed the branch to my fork (it fails in the npm ci step), even if I merge the zizmor PR into it to update the setup-node action. Does this happen for you as well?

[DougReeder]

On this branch, using Node.js v24, npm ci, npm test and npm run deploy-storybook -- --ci run fine under MacOS Tahoe 26.4.1: https://dougreeder.github.io/hubs/?path=/story/auth-oauthscreen--discord

In CI, it fails at the npm ci step: https://github.com/DougReeder/hubs/actions/runs/25381077074/job/74429273119#step:4:39

The zizmor branch does run test-and-deploy-storybook without errors: https://github.com/DougReeder/hubs/actions/runs/25088589896

Let's handle the zizmor PR first, then see if this issue still manifests.

[DougReeder]

NPM has a bug where setting min release age in more than one place conflicts, so let's set this aside until NPM is fixed:
npm/cli#9005