[dt3ft]

And when you actually need a super hot fix for a 0-day, you will need to revert this and keep it that way for some time to then go back to minimum age.

While this works, we stillneed a permanent solution which requires a sort of vetting process, rather than blindly letting everything through.

[matijs]

pnpm since v10.19.0 allows excluding specific dependencies from minReleaseAge by version.

[cortesoft]

Who will do the vetting process?

[password4321]

I think my vetting would settle for a repo diff against the previous version, confirming the only difference was the security fix (though that doesn't cover all the bases).

[pvillano]

Jia Tan