diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 7d4988e..cc8310a 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -32,10 +32,10 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 24
           registry-url: https://registry.npmjs.org
 
-      - run: npm install
+      - run: npm ci
 
       - run: npm test
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1c43156..68cd3b7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: 24
           cache: npm
 
       - run: npm ci
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..ed7a2ab
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,7 @@
+# Reject package versions published less than 15 days ago (rolling supply-chain
+# cooldown). Requires npm >= 11.10.0
+#
+# To pull in an urgent fix newer than the window, override for a single run:
+#   npm install <pkg> --min-release-age=0
+# then commit the updated package-lock.json. See README for the policy.
+min-release-age=15
diff --git a/README.md b/README.md
index ded8892..6a38611 100644
--- a/README.md
+++ b/README.md
@@ -384,6 +384,24 @@ npm run test:all          # both
 node ./cli/zerion.js --help
 ```
 
+Development requires **npm >=11.10** (see Supply-chain cooldown below); CI and `npm publish` run on Node 24.
+
+### Supply-chain cooldown
+
+To reduce exposure to npm supply-chain attacks, this repo enforces a **release-age cooldown**: `npm install` will only resolve dependency versions that have been published for at least a fixed number of days. Compromised "fresh" releases are usually detected and unpublished within that window.
+
+The cooldown length is set by `min-release-age` in [`.npmrc`](./.npmrc) — that line is the single source of truth for the window. It requires **npm >=11.10** (older npm silently ignores it); `devEngines` in `package.json` pins npm to that range with `onFail: error`, so an unsupported npm hard-fails instead of quietly skipping the cooldown.
+
+The cooldown only affects version _resolution_ (i.e. updating `package-lock.json`); a plain install from the existing lockfile — including `npm ci` in CI — is unaffected.
+
+**Overriding for an urgent fix.** If you need a security patch newer than the window, bypass it for a single install and commit the result:
+
+```bash
+npm install <package>@<version> --min-release-age=0
+```
+
+Then commit the updated `package-lock.json` with a note explaining why.
+
 ### Contribution guidelines
 
 - Keep examples copy-pasteable.
diff --git a/package.json b/package.json
index 7130f2d..832ff6d 100644
--- a/package.json
+++ b/package.json
@@ -37,6 +37,18 @@
   "engines": {
     "node": ">=20"
   },
+  "devEngines": {
+    "runtime": {
+      "name": "node",
+      "version": ">=20.10.0",
+      "onFail": "error"
+    },
+    "packageManager": {
+      "name": "npm",
+      "version": ">=11.10.0",
+      "onFail": "error"
+    }
+  },
   "keywords": [
     "zerion",
     "ai",