chore(ci): comment minimum-release-age

[ArtieReus]

Summary

Temporarily disables the minimum-release-age check in .npmrc to work around a critical pnpm bug that prevents security updates and dependency upgrades.

Changes Made

• Commented out minimum-release-age=604800 in .npmrc

Related Issues

• pnpm bug: minimumReleaseAge fails on fixed version in package.json during fresh install (no lockfile), incorrectly checking latest tag pnpm/pnpm#11982
• Commented out already for fix alert chore(deps): upgrade turbo to 2.9.14 to fix CSRF vulnerabilit #1731 (turbo CSRF vulnerability fix)
• Blocks Renovate PR fix(deps): update npm dependencies (patch) #1728 (patch dependency updates)

Why This Is Needed

The Problem

pnpm has a bug (#11982) where minimumReleaseAge incorrectly validates against the latest version on the registry instead of the pinned version in
package.json.

Example:

• We want to install turbo@2.9.14 (released 15 days ago, meets 7-day requirement)
• pnpm checks turbo@2.9.16 (latest, released 1 day ago)
• Installation fails with ERR_PNPM_NO_MATURE_MATCHING_VERSION even though our pinned version is old enough

This affects:

• Security updates: Can't upgrade turbo to fix CSRF vulnerability (Dependabot [TASK](ui): Migrate AppShell(All dependable at once) to TypeScript #212)
• Renovate PRs: PR fix(deps): update npm dependencies (patch) #1728 has mismatched lockfile because dependencies couldn't be updated
• Any dependency upgrade: If a package has a newer release within 7 days, we can't install older versions

The Bug Details

• Reported: May 27, 2026
• Status: Open, no fix available
• Affected versions: pnpm 10.33.0+ (including 10.34.1)
• Root cause: Age validation checks latest registry tag instead of requested version

When Can We Re-enable?

Once pnpm issue #11982 is resolved and released, we can uncomment this line and restore the 7-day safety check.

Screenshots (if applicable)

N/A

Testing Instructions

1. pnpm i - should complete without minimum-release-age errors
2. Verify security updates can be installed (e.g., turbo upgrade)
3. Verify Renovate PRs can update lockfiles properly

Checklist

• I have performed a self-review of my code.
• I have commented my code, particularly in hard-to-understand areas.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• I have made corresponding changes to the documentation (if applicable).
• My changes generate no new warnings or errors.
• I have created a changeset for my changes.

PR Manifesto

Review the PR Manifesto for best practises.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9063a8c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

This PR temporarily disables pnpm’s minimum-release-age setting in .npmrc to unblock dependency/security updates affected by the referenced pnpm issue.

Changes:

• Comments out the minimum-release-age=604800 pnpm setting.
• Keeps exact dependency saving enabled.