Enable NPM's min-release-age

[gabmontes]

Description

Force using Node 24.14.1 to force using NPM 11.10.0 which supports min-release-age. Then set it to 7 days.

https://nodejs.org/en/download/archive/v24.14.1
https://github.com/npm/cli/releases/tag/v11.10.0

Checklist

• Manual testing passed.
• Automated tests added, or N/A.
• Documentation updated, or N/A.
• Environment variables set in CI, or N/A.

[Copilot]

Pull request overview

Pins the repository’s Node version and enables npm’s min-release-age setting to delay installing very recent package releases (intended: require Node 24.14.1 / npm 11.10.0 and set a 7‑day minimum release age).

Changes:

• Update .nvmrc to pin Node to 24.14.1.
• Add min-release-age=7 to .npmrc while keeping save-exact=true.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.nvmrc	Pins local nvm Node version to 24.14.1 to align with the intended npm version.
.npmrc	Enables npm min-release-age (7 days) to reduce risk from very recent dependency publishes.

[gndelia]

Say we publish a new version of @hemilabs/token-list. How does that work with this? Is there some sort of whitelist ? Does the "release" count for new packages, or any new version?

Specifically asking because as we own these libs, many times we need to publish a new version in them in order to develop a feature

[gabmontes]

@gndelia that restriction applies to every dependency. We can move forward and deal with any emergency as a one-of or wait for NPM support.

npm/cli#8979
npm/cli#9175

[gndelia]

@gndelia that restriction applies to every dependency. We can move forward and deal with any emergency as a one-of or wait for NPM support.

npm/cli#8979 npm/cli#9175

I think we should hold the PR until these are merged