Bun update --latest does not respect minimumReleaseAge for transient dependencies

[unkhz]

What version of Bun is running?

1.3.3+274e01c73

What platform is your computer?

Darwin 24.6.0 arm64 arm

What steps can reproduce the bug?

• Pick a release age value that downgrades a dependency (e.g. 3000000 today)
• Create fresh project with vitest (or any other project with peer dependency)

$ bun init -m
$ bun add -D vitest
bun add v1.3.3 (274e01c7)

installed vitest@4.0.14 with binaries:
 - vitest

• Update bunfig.toml to contain min age rule

[install]
minimumReleaseAge=3000000 # Use value picked earlier

• Run bun update --latest && bun install

$ bun update --latest && bun install
bun update v1.3.3 (274e01c7)

↑ @types/bun 1.3.3 → 1.3.1
↑ vitest 4.0.14 → 4.0.4

14 packages installed [1.90s]

• Check the version of transient dependecy "vite" in bun.lock

$ grep "vite@" bun.lock
    "vite": ["vite@7.2.6", "", { "dependencies": { "esbuild": "^0.25.0", "fdir": "^6.5.0", "picomatch": "^4.0.3", "postcss": "^8.5.6", "rollup": "^4.43.0", "tinyglobby": "^0.2.15" }, "optionalDependencies": { "fsevents": "~2.3.3" }, "peerDependencies": { "@types/node": "^20.19.0 || >=22.12.0", "jiti": ">=1.21.0", "less": "^4.0.0", "lightningcss": "^1.21.0", "sass": "^1.70.0", "sass-embedded": "^1.70.0", "stylus": ">=0.54.8", "sugarss": "^5.0.0", "terser": "^5.16.0", "tsx": "^4.8.1", "yaml": "^2.4.2" }, "optionalPeers": ["@types/node", "jiti", "less", "lightningcss", "sass", "sass-embedded", "stylus", "sugarss", "terser", "tsx", "yaml"], "bin": { "vite": "bin/vite.js" } }, "sha512-tI2l/nFHC5rLh7+5+o7QjKjSR04ivXDF4jcgV0f/bTQ+OJiITy5S6gaynVsEM+7RqzufMnVbIon6Sr5x1SDYaQ=="],

What is the expected behavior?

• The 1st level dependency "vitest" is downgraded to respect minimum release age
• The 2nd level dependency "vite" is downgraded to respect minimum release age

What do you see instead?

• The 1st level dependency "vitest" is downgraded
• The 2nd level dependency "vite" is NOT downgraded, instead bun.lock uses already existing version which is too new

Additional information

With minimumReleaseAge setting in use, bun update --latest seems to be a nice way to update the whole project. It nicely shows which dependencies were downgraded. However I would expect it to update all dependencies according to release age, not just the 1st level.

Workaround: Delete bun.lock and recreate it to get minimumReleaseAge get respected for all transient dependencies.

[RiskyMH]

I'm pretty sure it only works for resolving new dependencies, so if its already in bun.lock it will effectively trust that its valid. This believe is also how pnpm implemented it.

Personally when I implemented it, I did consider checking the modified header and refuse to install if too new but I forgot to do that and it may cause lots of confusion instead.

[unkhz]

@RiskyMH makes sense. I tested how latest pnpm handles the situation and didn't actually find a way to downgrade the packages with it. Where bun downgrades the 1st level dependency, pnpm simply throws when trying the update with too new version. The fact that it refuses to downgrade packages makes it more explicit and circumvents this accidental partial downgrade problem altogether.

For my use case of taking the minimumReleaseAge into use in an existing project, I feel the pnpm approach is safer as it does not allow "breaking the rule". This situation of the minimumReleaseAge value being changed to downgrade packages is unlikely happen constantly. In most cases it's probably done once when first taking the config to use and maybe a few times after that during the lifetime of a project. Given the rarity of the failure, throwing error to force users to fix the problem manually might not be too harsh.

The problem might be that the --latest option behaves differently. Maybe this was not intentional?

pnpm throws always

$ pnpm update vitest --latest
 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for vitest@4.0.14 published by Fri Mar 20 2020 10:32:32 GMT+0200 (Itä-Euroopan normaaliaika) while fetching it from https://registry.npmjs.org/. Version 4.0.14 satisfies the specs but was released at Tue Nov 25 2025 15:54:37 GMT+0200 (Itä-Euroopan normaaliaika)

$ pnpm update vitest
 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for vitest@4.0.4 published by Fri Mar 20 2020 10:49:17 GMT+0200 (Itä-Euroopan normaaliaika) while fetching it from https://registry.npmjs.org/. Version 4.0.4 satisfies the specs but was released at Mon Oct 27 2025 14:29:23 GMT+0200 (Itä-Euroopan normaaliaika)

bun throws only when --latest is not used

$ bun update vitest
bun update v1.3.3 (274e01c7)
error: No version matching "vitest" found for specifier "4.0.14" (blocked by minimum-release-age: 3000000 seconds)
error: vitest@4.0.14 failed to resolve

$ bun update vitest --latest
bun update v1.3.3 (274e01c7)

installed vitest@4.0.4 with binaries:
 - vitest

8 packages installed [1.61s]

[marcospgp]

Adopting minimumReleaseAge = 604800 (7 days) org-wide via a shared bunfig.toml symlinked into every project, hit this in policy review.

We dodge the bug for unrelated reasons: our deps-update workflow already prohibits bun update --latest (it silently downgrades beta/preview channel-pinned packages to latest stable, which we can't tolerate for our Expo channel pins). We use bun add <pkg>@latest per direct dep, then delete bun.lock, then bun install — that path gates transitives correctly per docs.

+1 on priority regardless:

• The reproduction in the issue body matches expected bug semantics; --latest should gate uniformly with the rest of resolution. Currently it's a footgun for anyone reaching for the obvious "update everything" command after enabling the feature.
• Every org adopting minimumReleaseAge for supply-chain reasons will hit this independently. Documenting "don't use --latest while the gate is enabled" is fragile compared to fixing the resolution path.
• pnpm-style hard-throw for direct deps (per @unkhz's later comment) would also be a nicer UX than silent downgrade — separable from the transitive bug but related.

Happy to test a fix against our setup once one lands.

[RiskyMH]

The reproduction in the issue body matches expected bug semantics; --latest should gate uniformly with the rest of resolution. Currently it's a footgun for anyone reaching for the obvious "update everything" command after enabling the feature.

I'm not sure I follow what you are trying to say, like all age gate does is filter out versions from npm's releases api and make bun effectively not know about it (which is why if its in bun.lock already it's valid) - pnpm does this the same way.

Are you saying that --latest should just simply fail if it can't be used? Do note that in --verbose logs it does mention any downgrades it has auctioned.

pnpm-style hard-throw for direct deps (per unkhz's later comment) would also be a nicer UX than silent downgrade — separable from the transitive bug but related.

I haven't looked into the code for a while, but it tries to find the next best semver compliant version and if there is none -> it fails with a message explaining that its due to the age filter.

[marcospgp]

I'm not sure I follow what you are trying to say, like all age gate does is filter out versions from npm's releases api and make bun effectively not know about it (which is why if its in bun.lock already it's valid) - pnpm does this the same way.

Are you saying that --latest should just simply fail if it can't be used? Do note that in --verbose logs it does mention any downgrades it has auctioned.

--latest overrides config, that's the issue