The min-release-age=21 trick is smart. Most supply chain attacks get caught within hours or days — the LiteLLM incident was found in 3 hours. 21 days gives plenty of buffer.