From c33bc5cf1c249c5be8bf1be03e0ca9307f81516b Mon Sep 17 00:00:00 2001
From: mrica-equinor <mrica@equinor.com>
Date: Tue, 21 Apr 2026 11:51:58 +0200
Subject: [PATCH 1/5] Replace manual npm update

---
 .github/scripts/update-npm-packages.js        | 34 ++++++++++++++
 .../monthly_npm_dependency_update.yml         | 45 +++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 .github/scripts/update-npm-packages.js
 create mode 100644 .github/workflows/monthly_npm_dependency_update.yml

diff --git a/.github/scripts/update-npm-packages.js b/.github/scripts/update-npm-packages.js
new file mode 100644
index 000000000..1dc2295e4
--- /dev/null
+++ b/.github/scripts/update-npm-packages.js
@@ -0,0 +1,34 @@
+const { execSync } = require('child_process');
+
+let outdated = {};
+try {
+    execSync('npm outdated --json', { encoding: 'utf8' });
+} catch (e) {
+    // npm outdated exits with code 1 when packages are outdated; stdout still has the JSON
+    outdated = JSON.parse(e.stdout || '{}');
+}
+
+const sevenDaysAgo = Date.now() - 7 * 24 * 60 * 60 * 1000;
+const toUpdate = [];
+
+for (const [pkg, info] of Object.entries(outdated)) {
+    const latest = info.latest;
+    try {
+        const timeData = JSON.parse(execSync(`npm view ${pkg}@${latest} time --json`, { encoding: 'utf8' }));
+        const publishTime = new Date(timeData[latest]).getTime();
+        if (publishTime < sevenDaysAgo) {
+            toUpdate.push(`${pkg}@${latest}`);
+            console.log(`Queuing update: ${pkg}@${latest}`);
+        } else {
+            console.log(`Skipping ${pkg}@${latest} (released less than 7 days ago)`);
+        }
+    } catch (e) {
+        console.log(`Skipping ${pkg}: ${e.message}`);
+    }
+}
+
+if (toUpdate.length > 0) {
+    execSync(`npm install ${toUpdate.join(' ')}`, { stdio: 'inherit' });
+} else {
+    console.log('No packages older than 7 days to update');
+}
diff --git a/.github/workflows/monthly_npm_dependency_update.yml b/.github/workflows/monthly_npm_dependency_update.yml
new file mode 100644
index 000000000..6d57d11dd
--- /dev/null
+++ b/.github/workflows/monthly_npm_dependency_update.yml
@@ -0,0 +1,45 @@
+name: Monthly npm dependency update and create PR
+
+on:
+  schedule:
+    - cron: "0 8 1 * *" # 08:00 UTC on the 1st of every month
+  workflow_dispatch:
+
+jobs:
+  npm-update:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    defaults:
+      run:
+        working-directory: frontend
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6
+        with:
+          node-version: 24
+          cache: npm
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Update npm packages (7+ day old releases only)
+        run: node ${{ github.workspace }}/.github/scripts/update-npm-packages.js
+        working-directory: ${{ github.workspace }}/frontend
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7
+        with:
+          commit-message: "GHA: Monthly npm dependency update"
+          title: Monthly npm dependency update
+          body: |
+            - Monthly update of npm dependencies
+
+            Auto-generated by [create-pull-request][1]
+
+            [1]: https://github.com/peter-evans/create-pull-request
+          branch: monthly-npm-dependency-update
+          labels: automated-pr
+          delete-branch: true

From 71f28a97b98db69b0e4b535a936006eed1495b92 Mon Sep 17 00:00:00 2001
From: mrica-equinor <mrica@equinor.com>
Date: Tue, 21 Apr 2026 11:51:58 +0200
Subject: [PATCH 2/5] Replace manual npm update

---
 .github/workflows/monthly_npm_dependency_update.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/monthly_npm_dependency_update.yml b/.github/workflows/monthly_npm_dependency_update.yml
index 6d57d11dd..12de18f2b 100644
--- a/.github/workflows/monthly_npm_dependency_update.yml
+++ b/.github/workflows/monthly_npm_dependency_update.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6

From a6073fa26db2efa50ab6bcc7d10133a16ae70e68 Mon Sep 17 00:00:00 2001
From: mrica-equinor <mrica@equinor.com>
Date: Tue, 21 Apr 2026 11:51:58 +0200
Subject: [PATCH 3/5] Replace manual npm update

---
 .github/scripts/update-npm-packages.js        | 34 -------------------
 .../monthly_npm_dependency_update.yml         |  8 +++--
 frontend/.npmrc                               |  1 +
 3 files changed, 6 insertions(+), 37 deletions(-)
 delete mode 100644 .github/scripts/update-npm-packages.js
 create mode 100644 frontend/.npmrc

diff --git a/.github/scripts/update-npm-packages.js b/.github/scripts/update-npm-packages.js
deleted file mode 100644
index 1dc2295e4..000000000
--- a/.github/scripts/update-npm-packages.js
+++ /dev/null
@@ -1,34 +0,0 @@
-const { execSync } = require('child_process');
-
-let outdated = {};
-try {
-    execSync('npm outdated --json', { encoding: 'utf8' });
-} catch (e) {
-    // npm outdated exits with code 1 when packages are outdated; stdout still has the JSON
-    outdated = JSON.parse(e.stdout || '{}');
-}
-
-const sevenDaysAgo = Date.now() - 7 * 24 * 60 * 60 * 1000;
-const toUpdate = [];
-
-for (const [pkg, info] of Object.entries(outdated)) {
-    const latest = info.latest;
-    try {
-        const timeData = JSON.parse(execSync(`npm view ${pkg}@${latest} time --json`, { encoding: 'utf8' }));
-        const publishTime = new Date(timeData[latest]).getTime();
-        if (publishTime < sevenDaysAgo) {
-            toUpdate.push(`${pkg}@${latest}`);
-            console.log(`Queuing update: ${pkg}@${latest}`);
-        } else {
-            console.log(`Skipping ${pkg}@${latest} (released less than 7 days ago)`);
-        }
-    } catch (e) {
-        console.log(`Skipping ${pkg}: ${e.message}`);
-    }
-}
-
-if (toUpdate.length > 0) {
-    execSync(`npm install ${toUpdate.join(' ')}`, { stdio: 'inherit' });
-} else {
-    console.log('No packages older than 7 days to update');
-}
diff --git a/.github/workflows/monthly_npm_dependency_update.yml b/.github/workflows/monthly_npm_dependency_update.yml
index 12de18f2b..1391549c4 100644
--- a/.github/workflows/monthly_npm_dependency_update.yml
+++ b/.github/workflows/monthly_npm_dependency_update.yml
@@ -27,9 +27,11 @@ jobs:
           cache: npm
           cache-dependency-path: frontend/package-lock.json
 
-      - name: Update npm packages (7+ day old releases only)
-        run: node ${{ github.workspace }}/.github/scripts/update-npm-packages.js
-        working-directory: ${{ github.workspace }}/frontend
+      - name: Update npm to support minimumReleaseAge
+        run: npm install -g npm@11.10.0
+
+      - name: Update npm packages
+        run: npm update
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7
diff --git a/frontend/.npmrc b/frontend/.npmrc
new file mode 100644
index 000000000..6592fe5a3
--- /dev/null
+++ b/frontend/.npmrc
@@ -0,0 +1 @@
+minimum-release-age=7 days

From 42192366a933514b3880179ea8aff32bd387d5e8 Mon Sep 17 00:00:00 2001
From: mrica-equinor <mrica@equinor.com>
Date: Tue, 21 Apr 2026 11:51:58 +0200
Subject: [PATCH 4/5] Replace manual npm update

---
 frontend/.npmrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/.npmrc b/frontend/.npmrc
index 6592fe5a3..15ae97c71 100644
--- a/frontend/.npmrc
+++ b/frontend/.npmrc
@@ -1 +1 @@
-minimum-release-age=7 days
+min-release-age=7 days

From bf604cea5de2b78a1a835214a333d8c4f86f326c Mon Sep 17 00:00:00 2001
From: mrica-equinor <mrica@equinor.com>
Date: Tue, 21 Apr 2026 11:51:58 +0200
Subject: [PATCH 5/5] Replace manual npm update

---
 .github/workflows/monthly_npm_dependency_update.yml | 1 +
 frontend/.npmrc                                     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/monthly_npm_dependency_update.yml b/.github/workflows/monthly_npm_dependency_update.yml
index 1391549c4..29d9c528d 100644
--- a/.github/workflows/monthly_npm_dependency_update.yml
+++ b/.github/workflows/monthly_npm_dependency_update.yml
@@ -40,6 +40,7 @@ jobs:
           title: Monthly npm dependency update
           body: |
             - Monthly update of npm dependencies
+            - Only packages released more than 7 days ago are included (enforced via `min-release-age=7` in `.npmrc`)
 
             Auto-generated by [create-pull-request][1]
 
diff --git a/frontend/.npmrc b/frontend/.npmrc
index 15ae97c71..7253a5cee 100644
--- a/frontend/.npmrc
+++ b/frontend/.npmrc
@@ -1 +1 @@
-min-release-age=7 days
+min-release-age=7