From 6b6d12865ee4733c8ab88fe8cd70ed8a04574f5b Mon Sep 17 00:00:00 2001
From: Roy Osherove <575051+royosherove@users.noreply.github.com>
Date: Tue, 12 May 2026 19:36:54 +0000
Subject: [PATCH] security: add supply-chain quarantine (.npmrc
 min-release-age=7)

---
 .npmrc | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 .npmrc

diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..fcb4c98
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,4 @@
+# Supply-chain quarantine: refuse to install any npm package published < 7 days ago.
+# Organization-wide policy; critical after 2026-05-12 Mini Shai-Hulud wave
+# (@mistralai/mistralai 2.2.2-2.2.4, 169 packages total).
+min-release-age=7