From 9def8980f19007bb05e37310d3867fb6780d7ff3 Mon Sep 17 00:00:00 2001
From: Mike Hardy <github@mikehardy.net>
Date: Sat, 16 May 2026 13:23:43 -0500
Subject: [PATCH 1/2] build(deps): pin firebase-js-sdk to exact version not
 semver

this is important because lockfile recreation may allow this to slip,
at which point `yarn compare:types` starts to fail

we rely on exact versions in practice as we make changes to adopt new
versions and may even rely on bug-compatibility internally until a
new version is qualified / formally adopted
---
 package.json       | 2 +-
 tests/package.json | 2 +-
 yarn.lock          | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index 288a7ddb02..46315275c7 100644
--- a/package.json
+++ b/package.json
@@ -96,7 +96,7 @@
     "eslint-plugin-mocha": "^11.2.0",
     "eslint-plugin-prettier": "^5.5.5",
     "eslint-plugin-react": "^7.37.5",
-    "firebase": "^12.12.1",
+    "firebase": "12.12.1",
     "firebase-tools": "^15.16.0",
     "genversion": "^3.2.0",
     "google-java-format": "^2.2.0",
diff --git a/tests/package.json b/tests/package.json
index 9f4fe7e653..42b22fc7a7 100644
--- a/tests/package.json
+++ b/tests/package.json
@@ -46,7 +46,7 @@
     "axios": "^1.15.2",
     "cpy-cli": "^7.0.0",
     "detox": "patch:detox@npm%3A20.51.0#~/.yarn/patches/detox-npm-20.51.0-3e13b6e309.patch",
-    "firebase": "^12.12.1",
+    "firebase": "12.12.1",
     "firebase-tools": "^15.16.0",
     "jest-circus": "^30.3.0",
     "jest-environment-node": "^30.3.0",
diff --git a/yarn.lock b/yarn.lock
index e152e7a0eb..29473f2c32 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -13004,7 +13004,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"firebase@npm:12.12.1, firebase@npm:^12.12.1":
+"firebase@npm:12.12.1":
   version: 12.12.1
   resolution: "firebase@npm:12.12.1"
   dependencies:
@@ -22256,7 +22256,7 @@ __metadata:
     axios: "npm:^1.15.2"
     cpy-cli: "npm:^7.0.0"
     detox: "patch:detox@npm%3A20.51.0#~/.yarn/patches/detox-npm-20.51.0-3e13b6e309.patch"
-    firebase: "npm:^12.12.1"
+    firebase: "npm:12.12.1"
     firebase-tools: "npm:^15.16.0"
     jest-circus: "npm:^30.3.0"
     jest-environment-node: "npm:^30.3.0"
@@ -22308,7 +22308,7 @@ __metadata:
     eslint-plugin-mocha: "npm:^11.2.0"
     eslint-plugin-prettier: "npm:^5.5.5"
     eslint-plugin-react: "npm:^7.37.5"
-    firebase: "npm:^12.12.1"
+    firebase: "npm:12.12.1"
     firebase-tools: "npm:^15.16.0"
     genversion: "npm:^3.2.0"
     google-java-format: "npm:^2.2.0"

From 07c6140c28c36ab618dab3eff0a8f5fee6177514 Mon Sep 17 00:00:00 2001
From: Mike Hardy <github@mikehardy.net>
Date: Sat, 16 May 2026 14:01:15 -0500
Subject: [PATCH 2/2] build(deps): only install packages after 7d seasoning

but explicitly allow packages we have a maintenance relationship with
as we adopt versions of those as quickly as possible historically
---
 .github/dependabot.yml                          |  5 +++++
 .github/scripts/compare-types/.yarnrc.yml       |  6 ++++++
 .github/workflows/scripts/functions/.yarnrc.yml |  6 ++++++
 .yarnrc.yml                                     | 10 +++++++++-
 4 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 89562e54f7..82012ad2a2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,6 +9,11 @@ updates:
     # Check the npm registry for updates every day (weekdays)
     schedule:
       interval: 'daily'
+    cooldown:
+      default-days: 7
+      semver-major-days: 7
+      semver-minor-days: 7
+      semver-patch-days: 7
     target-branch: dependency-updates
     labels:
       - 'dependencies'
diff --git a/.github/scripts/compare-types/.yarnrc.yml b/.github/scripts/compare-types/.yarnrc.yml
index b03d7dc36d..8e20c82c89 100644
--- a/.github/scripts/compare-types/.yarnrc.yml
+++ b/.github/scripts/compare-types/.yarnrc.yml
@@ -1 +1,7 @@
 yarnPath: ../../../.yarn/releases/yarn-4.14.1.cjs
+
+npmMinimalAgeGate: 7d
+
+# In case you must have a package version that would be disallowed
+# by the above npmMinimalAgeGate
+#npmPreapprovedPackages:
diff --git a/.github/workflows/scripts/functions/.yarnrc.yml b/.github/workflows/scripts/functions/.yarnrc.yml
index 26b853882f..ce4a67b516 100644
--- a/.github/workflows/scripts/functions/.yarnrc.yml
+++ b/.github/workflows/scripts/functions/.yarnrc.yml
@@ -1 +1,7 @@
 yarnPath: ../../../../.yarn/releases/yarn-4.14.1.cjs
+
+npmMinimalAgeGate: 7d
+
+# In case you must have a package version that would be disallowed
+# by the above npmMinimalAgeGate
+#npmPreapprovedPackages:
diff --git a/.yarnrc.yml b/.yarnrc.yml
index 5a0e9c4292..1845afd99d 100644
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -9,6 +9,14 @@ nodeLinker: node-modules
 plugins:
   - checksum: 67ce9e30cf152af35d3dc292f915cb39220942f5f406211801da2b721d873857f8ea6d9c57893e1295133f5d128fa6388bf16a4610ef788f30e987e58f84db26
     path: .yarn/plugins/@yarnpkg/plugin-postinstall-dev.cjs
-    spec: "https://raw.githubusercontent.com/sachinraja/yarn-plugin-postinstall-dev/main/bundles/%40yarnpkg/plugin-postinstall-dev.js"
+    spec: 'https://raw.githubusercontent.com/sachinraja/yarn-plugin-postinstall-dev/main/bundles/%40yarnpkg/plugin-postinstall-dev.js'
 
 yarnPath: .yarn/releases/yarn-4.14.1.cjs
+
+npmMinimalAgeGate: 7d
+
+# In case you must have a package version that would be disallowed
+# by the above npmMinimalAgeGate
+npmPreapprovedPackages:
+  - 'firebase@12.12.1' # If adopting recent firebase-js-sdk, specify directly here
+  - '@react-native-firebase/*'