Respect package managers' native minimum release age#144
Open
bircni wants to merge 2 commits into
Open
Conversation
The npm ecosystem now exposes minimum-release-age supply-chain settings (npm min-release-age, pnpm minimumReleaseAge, bun minimumReleaseAge). Honor them automatically for the npm mode so updates never proposes a version the package manager would itself refuse to install. The nearest .npmrc / pnpm-workspace.yaml / bunfig.toml above each manifest is read and normalized to days; the most conservative age and the union of exclude lists apply. An explicit updates cooldown (global, per-dir, or override, including an explicit 0) takes precedence; the native value is only a fallback. Native exclude lists support globs and are matched with the shared pattern matcher. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
Author
|
adding yarn support, too |
Yarn 4.10+ exposes npmMinimalAgeGate in .yarnrc.yml (minutes as a number, or a duration string like "7d") plus npmPreapprovedPackages to exempt packages. Read it alongside the npm/pnpm/bun settings. The pnpm/yarn YAML extraction is unified behind generic yamlScalar/yamlList helpers instead of a pnpm-specific parser. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Owner
|
I already added a parser for renovate's setting but it's not enabled by default specifically because I want Building a complex config inheritance system from dozens of other tools is not what I want to maintain and it would be too confusing to users. So for this reason I think I will reject and probably also drop the renovate inheritance. Users should configure this tool via |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The npm ecosystem now ships built-in supply-chain "cooldown" settings — a minimum age a published version must reach before a package manager will install it.
updatesalready has its owncooldownoption, but ignored these native settings. This PR makes the npm mode automatically honor them, soupdatesnever proposes a version the package manager itself would refuse to install.The nearest config file above each manifest is read and normalized to days:
.npmrcmin-release-age(days)min-release-age-excludepnpm-workspace.yamlor.npmrcminimumReleaseAge/minimum-release-age(minutes)minimumReleaseAgeExclude/minimum-release-age-excludebunfig.toml[install]minimumReleaseAge(seconds)minimumReleaseAgeExcludesWhen several are present, the most conservative age and the union of exclude lists apply.
Precedence
An explicit
updatescooldown always wins; the native value is only a fallback whenupdateshas none:overridescooldowncooldown(incl.--cooldown) — an explicit0disables the native fallback@myorg/*)This is on by default for the npm mode. Other modes (pypi, go, cargo, docker, make, actions) are unaffected. uv/pypi is intentionally left out for now — its
pyproject.tomlexclude-neweris an absolute timestamp rather than a relative age and needs a separate mechanism.