Add min-release-age to prevent supply chain attacks

[judeallred]

See https://chia-network.atlassian.net/browse/SEC-1019 and #security_chat for context

Summary

Adds min-release-age=1 to .npmrc, which tells npm to only resolve package versions published more than 1 day ago. Most malicious package versions are detected and yanked within hours, so a 24-hour delay filters out smash-and-grab supply chain attacks.

This is primarily a Rust project, but npm is used for Prettier formatting. The setting protects those npm dependencies.

Requires npm >= 11.10.0 (ships with Node.js >= 24.14.1). Older npm versions silently ignore the setting.

Made with Cursor

---

Note

Low Risk
Low risk: a single .npmrc setting change; primary impact is potential install friction on older npm versions or when needing same-day releases.

Overview
Adds min-release-age=1 to .npmrc, instructing npm to only resolve package versions published more than 24 hours ago to reduce exposure to smash-and-grab supply chain releases.

^{Reviewed by Cursor Bugbot for commit a7da6e8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit a7da6e8. Configure here.}

[coveralls-official]

Coverage Report for CI Build 26243059799

Coverage remained the same at 87.985%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	9355
Covered Lines:	8231
Line Coverage:	87.99%
Coverage Strength:	21894018.8 hits per line

---

💛 - Coveralls