Skip to content

[rush] minimumReleaseAge in pnpm-config.json is written to package.json but pnpm only reads it from .npmrc/pnpm-workspace.yaml #5752

Open
Open
[rush] minimumReleaseAge in pnpm-config.json is written to package.json but pnpm only reads it from .npmrc/pnpm-workspace.yaml#5752
@calm-mlin

Description

@calm-mlin
calm-mlin
opened on Apr 7, 2026

Summary

The minimumReleaseAge and minimumReleaseAgeExclude settings in common/config/rush/pnpm-config.json are written to common/temp/package.json under the pnpm key, but pnpm does not read these settings from package.json. pnpm only reads them from .npmrc (as minimum-release-age) or pnpm-workspace.yaml.

As a result, the settings are silently ignored and provide no protection.

Steps to Reproduce

  1. Set "minimumReleaseAge": 20160 in common/config/rush/pnpm-config.json (14 days in minutes)
  2. Add a dependency on a package with a very recent release (e.g., released 2 days ago)
  3. Run rush update
  4. Expected: rush update fails with ERR_PNPM_NO_MATURE_MATCHING_VERSION
  5. Actual: rush update succeeds — the setting is ignored

Root Cause

Rush's InstallHelpers.generateCommonPackageJson() writes minimumReleaseAge to common/temp/package.json:

{
  "pnpm": {
    "minimumReleaseAge": 20160,
    "minimumReleaseAgeExclude": []
  }
}

However, pnpm's config reader does not include minimumReleaseAge in the set of fields it reads from package.json's pnpm section. The supported fields from package.json are: overrides, packageExtensions, peerDependencyRules, allowedDeprecatedVersions, patchedDependencies, allowBuilds, ignoredOptionalDependencies, supportedArchitectures, requiredScripts, configDependencies, auditConfig, updateConfig.

pnpm reads minimumReleaseAge from:

  • pnpm-workspace.yaml (as minimumReleaseAge)
  • .npmrc (as minimum-release-age)

Workaround

Add minimum-release-age=20160 directly to common/config/rush/.npmrc. Rush copies this file to common/temp/.npmrc, which pnpm does read.

Environment

  • Rush: 5.172.1
  • pnpm: 10.33.0
  • Node: 24.x

Suggested Fix

Rush should write minimumReleaseAge and minimumReleaseAgeExclude to either:

  • The generated .npmrc file (as minimum-release-age and minimum-release-age-exclude), or
  • The generated pnpm-workspace.yaml file

instead of (or in addition to) package.json.

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question Answer
@microsoft/rush globally installed version? 5.172.1
rushVersion from rush.json? 5.172.1
pnpmVersion, npmVersion, or yarnVersion from rush.json? 10.33.0
(if pnpm) useWorkspaces from pnpm-config.json? true
Operating system? Mac
Would you consider contributing a PR? Yes
Node.js version (node -v)? 24.13.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    Bug Triage

    Status

    Needs triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions