From 42033e6d281ca626cde3753a77ed2dbc9a8c09a3 Mon Sep 17 00:00:00 2001
From: Mahad Kalam <mahadkalam1234@gmail.com>
Date: Tue, 31 Mar 2026 09:03:42 +0100
Subject: [PATCH] Make setup use lockfile + mandate minimum release age

---
 bin/setup   | 2 +-
 bunfig.toml | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 bunfig.toml

diff --git a/bin/setup b/bin/setup
index 59cd269..39e2ed6 100755
--- a/bin/setup
+++ b/bin/setup
@@ -14,7 +14,7 @@ FileUtils.chdir APP_ROOT do
 
   puts "== Installing dependencies =="
   system("bundle check") || system!("bundle install")
-  system! "bun install"
+  system! "bun install --frozen-lockfile"
 
   # puts "\n== Copying sample files =="
   # unless File.exist?("config/database.yml")
diff --git a/bunfig.toml b/bunfig.toml
new file mode 100644
index 0000000..bc634c7
--- /dev/null
+++ b/bunfig.toml
@@ -0,0 +1,4 @@
+[install]
+# Only install package versions published at least 3 days ago
+# (cough cough axios RAT...)
+minimumReleaseAge = 259200 # seconds