At least with pnpm, you can specify minimumReleaseAgeExclude, temporarily until the time passes. I imagine the other package managers have similar options.

[1]: https://pnpm.io/settings#minimumreleaseageexclude

I haven't checked, but it would be surprising that the min-release-age applies to npm audit and equivalent commands

Exactly what I thought too when I read this...

Urgent fix, patch released, invisible to dev team cause they put in a 7 day wait. Now our app is vulnerable for up to 7 days longer than needed (assuming daily deploys. If less often, pad accordingly). Not a great excuse as to why the company shipped an "updated" version of the app with a standing CVE in it. "Sorry we were blinded to the critical fix because set an arbitrary local setting to ignore updates until they are 7 days old". I wouldn't fire people over that, but we'd definitely be doing some internal training.

Not really an issue though right because virtually none of these have lasted more than 1-2 days before being discovered?

Out of the frying pan and into the frier.....