chore: require aged Bun package releases

[benvinegar]

Summary

• Add a root bunfig.toml that requires Bun installs to use packages published at least 7 days ago.

Testing

• bun install --frozen-lockfile

This PR description was generated by Pi using OpenAI GPT-5

[greptile-apps]

Greptile Summary

Adds a root bunfig.toml that gates all bun install operations to package versions published at least 7 days (604,800 seconds) ago, protecting against supply chain attacks where malicious packages are published and quickly propagated.

• The minimumReleaseAge = 604800 value is correctly expressed in seconds and aligns with the Bun v1.3+ API; the project already pins packageManager: bun@1.3.10, so the feature is fully supported.
• No minimumReleaseAgeExcludes list is configured, meaning the 7-day gate applies universally — including to packages that may need urgent security patches.

Confidence Score: 4/5

Safe to merge; the config is syntactically correct and the Bun version in use supports the feature.

The change achieves its goal correctly, but the absence of any minimumReleaseAgeExcludes means even a critical security patch to a direct dependency cannot be installed for a week without a manual CLI override — a real operational friction point worth addressing.

bunfig.toml — consider whether any frequently-patched packages should be excluded from the age gate.

Important Files Changed

Filename	Overview
bunfig.toml	Adds root-level bunfig.toml with minimumReleaseAge = 604800 (7 days in seconds), gating all package installs to versions published at least 7 days ago; no exclusions configured, which could block urgent security patches.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[bun install] --> B{minimumReleaseAge\nconfigured?}
    B -- Yes\n604800s / 7 days --> C{Package version\nage >= 7 days?}
    B -- No --> G[Install latest version]
    C -- Yes --> D{In\nminimumReleaseAgeExcludes?}
    C -- No --> E[Skip version\nuse older matching version]
    D -- Yes\nnot configured --> F[Install version]
    D -- No --> F
    E --> H{Any\nallowed version\nfound?}
    H -- Yes --> F
    H -- No --> I[Error: no\neligible version]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
bunfig.toml:1-3
Without a `minimumReleaseAgeExcludes` list, the 7-day gate applies to every package — including security-critical ones like `bun`, `zod`, or `@types/bun`. If a CVE fix or urgent patch lands on a dependency, no one on the team can install it for a week without manually passing `--minimum-release-age 0` on every invocation. Excluding a small set of high-trust, frequently-patched packages is the standard mitigation (see the [Bun docs](https://bun.com/docs/pm/cli/install#minimum-release-age)).

```suggestion
[install]
# Only install packages published at least 7 days ago.
minimumReleaseAge = 604800

# Exclude high-trust packages that may need urgent security patches.
minimumReleaseAgeExcludes = ["bun", "typescript"]
```

_{Reviews (1): Last reviewed commit: "chore: require aged Bun package releases" | Re-trigger Greptile}

[greptile-apps]

Without a minimumReleaseAgeExcludes list, the 7-day gate applies to every package — including security-critical ones like bun, zod, or @types/bun. If a CVE fix or urgent patch lands on a dependency, no one on the team can install it for a week without manually passing --minimum-release-age 0 on every invocation. Excluding a small set of high-trust, frequently-patched packages is the standard mitigation (see the Bun docs).

Suggested change

	[install]
	# Only install packages published at least 7 days ago.
	minimumReleaseAge = 604800
	[install]
	# Only install packages published at least 7 days ago.
	minimumReleaseAge = 604800
	# Exclude high-trust packages that may need urgent security patches.
	minimumReleaseAgeExcludes = ["bun", "typescript"]

Prompt To Fix With AI

This is a comment left during a code review.
Path: bunfig.toml
Line: 1-3

Comment:
Without a `minimumReleaseAgeExcludes` list, the 7-day gate applies to every package — including security-critical ones like `bun`, `zod`, or `@types/bun`. If a CVE fix or urgent patch lands on a dependency, no one on the team can install it for a week without manually passing `--minimum-release-age 0` on every invocation. Excluding a small set of high-trust, frequently-patched packages is the standard mitigation (see the [Bun docs](https://bun.com/docs/pm/cli/install#minimum-release-age)).

```suggestion
[install]
# Only install packages published at least 7 days ago.
minimumReleaseAge = 604800

# Exclude high-trust packages that may need urgent security patches.
minimumReleaseAgeExcludes = ["bun", "typescript"]
```

How can I resolve this? If you propose a fix, please make it concise.