[rush] Support pnpm's minimumReleaseAge setting

[briancmpbll]

Summary

I'd like to request adding support for pnpm's new minimumReleaseAge setting.

Details

There have been at least two high profile supply chain attacks on npm recently and this setting is designed to mitigate these attacks by requiring a minimum age on the installed versions. Most attacks are discovered and removed within 24 hours and having access to this setting will help prevent supply chain attacks in my project and others.

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question	Answer
@microsoft/rush globally installed version?	5.149.1
rushVersion from rush.json?	5.149.1
useWorkspaces from rush.json?	true
Operating system?	Linux
Would you consider contributing a PR?	Yes
Node.js version (node -v)?	22.14.0

[marcin-kazmierczak]

Maybe as alternative could be handled by updateConfig hook https://pnpm.io/pnpmfile#hooksupdateconfigconfig-config--promiseconfig but from I can see it's not supported by rush at this moment.

[wtuminski]

Hi @iclanton!

Are there any plans to support it?

[iclanton]

This should be added as an option to common/config/rush/pnpm-config.json. It shouldn't be too difficult to implement. We don't have immediate plans to implement this, but we would welcome a community contribution.

[PrzemyslawMikos]

Hi @iclanton I'm also looking for that feature. Could you please give some hints on where to start/look at initially to start implementation?

[mrzepinski]

I'm preparing the PR for it, so let's wait a bit @PrzemyslawMikos @wtuminski @marcin-kazmierczak