install: enforce minimumReleaseAge against lockfile-pinned versions

[robobun]

Fixes #30525.
Fixes #25305.

Reproduction

mkdir bun-minage-bypass && cd bun-minage-bypass
echo '{"name":"x","private":true,"dependencies":{"is-odd":"3.0.1"}}' > package.json

# Populate bun.lock with no cooldown configured.
bun install

# Now turn on a 10-year cooldown. is-odd@3.0.1 is ~8 years old — it
# should violate the cooldown.
cat > bunfig.toml <<'TOML'
[install]
minimumReleaseAge = 315360000
TOML

rm -rf node_modules
bun install                   # on main: exit 0, installs 3.0.1 anyway
bun install --frozen-lockfile # on main: exit 0, installs 3.0.1 anyway

Cause

The minimumReleaseAge filter only runs during version resolution — findByDistTagWithFilter / findBestVersionWithFilter in src/install/npm.zig, which PackageManagerEnqueue calls when Bun picks a version. When bun.lock already has a resolution pinned, installHoistedPackages → PackageInstaller.installPackageWithNameAndResolution (src/install/PackageInstaller.zig:772) reads the locked version, dispatches straight to enqueuePackageForDownload (PackageManagerEnqueue.zig:237), and extracts the tarball. No manifest lookup, no age check. --frozen-lockfile tightens the "lockfile must not change" gate but does not add any new filtering, so it behaved identically.

This is the same shape as pnpm/pnpm#10438 — the gate only protects net-new resolutions, which is exactly the opposite of what a team adding the cooldown after an incident expects.

Fix

Add a post-resolution gate in installWithManager (src/install/PackageManager/install_with_manager.zig) that runs when minimumReleaseAge is configured, right before the install phase begins:

1. Reuse populateManifestCache(.all) to make sure every locked npm package has its (extended) manifest loaded.
2. For each .npm resolution in lockfile.packages, call manifest.findByVersion(resolution.value.npm.version) to recover the exact PackageVersion and its publish_timestamp_ms.
3. If isPackageVersionTooRecent and the package isn't in install.minimumReleaseAgeExcludes, accumulate an error on manager.log.
4. If any errors accumulated, print them and Global.crash() before installation starts.

The walk only happens when minimum_release_age_ms != null, so the hot path (no cooldown configured) is untouched. Exclusions are honored because the same shouldExcludeFromAgeFilter predicate used by the resolution-time filter is reused here.

Under --frozen-lockfile the install fails fast without touching the filesystem. Without --frozen-lockfile, the user is told which versions violate the cooldown and pointed at the three remediation options: remove the offending version from bun.lock, raise the bound, or extend install.minimumReleaseAgeExcludes.

Verification

bun bd test test/cli/install/minimum-release-age.test.ts
  50 pass, 0 fail

bun bd test test/cli/install/minimum-release-age.test.ts -t "frozen lockfile"
  4 pass, 0 fail

With the src/ changes stashed, two of the four frozen-lockfile tests — the ones that assert the cooldown now blocks a locked violator under both bun install and bun install --frozen-lockfile — fail on main, which confirms they exercise the fix.

Also manually reproduced: the repro above now exits 1 with a clear per-package error naming is-odd@3.0.1 (and its transitive is-number@6.0.0) under both bun install and bun install --frozen-lockfile, and succeeds cleanly when the packages are added to minimumReleaseAgeExcludes.

[robobun]

^{Updated 10:27 PM PT - May 11th, 2026}

❌ @robobun, your commit 0c9fe32 has 3 failures in Build #53575 (All Failures):

• test/js/bun/s3/s3-storage-class.test.ts - code 1 on 🍎 14 aarch64
• test/cli/install/bun-install-registry.test.ts - code 1 on 🪟 11 aarch64
• test/js/bun/test/parallel/test-http-should-emit-close-when-connection-is-aborted.ts - timeout on 🪟 2019 x64
• test/js/bun/test/parallel/test-http-should-emit-close-when-connection-is-aborted.ts - timeout on 🪟 2019 x64-baseline
• test/js/bun/test/parallel/test-http-should-emit-close-when-connection-is-aborted.ts - timeout on 🪟 11 aarch64

---

🧪   To try this PR locally:

bunx bun-pr 30526

That installs a local version of the PR into your bun-30526 executable, so you can run:

bun-30526 --bun

[github-actions]

Found 1 issue this PR may fix:

1. Bun update --latest does not respect minimumReleaseAge for transient dependencies #25305 - Reports that bun update --latest does not enforce minimumReleaseAge for transitive dependencies pinned in bun.lock, which is the same class of lockfile-bypass bug this PR fixes with enforceLockfileAgeFilter

If this is helpful, copy the block below into the PR description to auto-close this issue on merge.

Fixes #25305

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The PR enforces configured minimum_release_age_ms for versions already pinned in bun.lock by adding enforceLockfileAgeFilter to validate locked npm packages before install; installWithManager invokes it and aborts with logged errors and remediation guidance if violations are found.

Changes

Lockfile Release Age Enforcement

Layer / File(s)	Summary
Core validation logic src/install/PackageManager/PopulateManifestCache.zig	Added enforceLockfileAgeFilter(manager: *PackageManager) !void that ensures manifests are populated, iterates all locked npm packages, loads each manifest by name hash, honors minimum_release_age_excludes via isExcludedByName, and records errors via Npm.PackageManifest.isPackageVersionTooRecent for versions published within the configured cooldown. Added logger and Npm constants used by the validation.
Public API export src/install/PackageManager.zig	Re-exports enforceLockfileAgeFilter from PopulateManifestCache.zig as a public const in the PackageManager module.
Integration into install flow src/install/PackageManager/install_with_manager.zig	Inserted a gate before the security-scanner path that calls enforceLockfileAgeFilter() when options.minimum_release_age_ms is set. If validation logs errors, the function prints enforcement errors (unless log level is silent), emits a remediation note (remove from bun.lock, raise the bound, or add to install.minimumReleaseAgeExcludes), resets the logger, and aborts via Global.crash().
Validation and test coverage test/cli/install/minimum-release-age.test.ts	Replaced/added tests to assert bun install --frozen-lockfile --minimum-release-age and bun install --minimum-release-age fail when a locked version violates the minimum release age, checking stderr for the package name, locked version (3.0.0/99.99.99), and “minimum release age”. Added exclusion-path test and updated missing-manifest behavior to fail-closed.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: enforcing minimumReleaseAge for versions already pinned in lockfiles, which is the primary objective of this PR.
Description check	✅ Passed	The PR description is comprehensive, addressing both template sections (What does this PR do and verification), with detailed explanation of the problem, cause, fix approach, and manual verification results.
Linked Issues check	✅ Passed	The PR directly addresses both linked issues: #30525 (enforce minimumReleaseAge against lockfile-pinned versions) and #25305 (respect minimumReleaseAge for transitive dependencies), with code changes that implement the required enforcement at install-from-lockfile time.
Out of Scope Changes check	✅ Passed	All changes are scoped to the enforcement of minimumReleaseAge on locked versions: manifest cache population, version validation, error logging, and installer gating. No unrelated modifications are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/install/PackageManager/PopulateManifestCache.zig`:
- Around line 189-200: The current use of "orelse continue" on
manager.manifests.byNameHash(...) and manifest.findByVersion(...) lets missing
manifest/version metadata bypass minimumReleaseAge checks; change this to "fail
closed" by treating missing metadata as a blocked (too-recent) result instead of
silently continuing: replace the first "orelse continue" after
manager.manifests.byNameHash(...) with logic that returns an error or marks the
resolution as disallowed when the manifest is missing, and replace the "orelse
continue" after manifest.findByVersion(...) with logic that treats a missing
find_result as failing the Npm.PackageManifest.isPackageVersionTooRecent check
(use min_age_ms and manager.options.minimum_release_age_excludes) so the code
enforces the cooldown rather than skipping it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b48aae88-dc10-44d1-af20-d538b76f3b45

📥 Commits

Reviewing files that changed from the base of the PR and between 37bfbed and f240c84.

📒 Files selected for processing (4)

• src/install/PackageManager.zig
• src/install/PackageManager/PopulateManifestCache.zig
• src/install/PackageManager/install_with_manager.zig
• test/cli/install/minimum-release-age.test.ts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/install/PackageManager/PopulateManifestCache.zig`:
- Around line 244-248: The isExcludedByName helper currently only compares the
full package name and therefore misses bare-name exclusions for scoped packages;
update isExcludedByName to also treat a scoped package "@scope/name" as matching
an exclusion entry "name" by checking, when name contains '/', the segment after
the last '/' (or the part after the scope) against exclusions in addition to the
full name. Modify the loop in isExcludedByName to compare both
bun.strings.eql(entry, name) and, if name contains '/', bun.strings.eql(entry,
segmentAfterSlash) so bare-name excludes like "scoped-package" will also match
"@scope/scoped-package".

In `@test/cli/install/minimum-release-age.test.ts`:
- Around line 1848-1853: Move the diagnostics assertions to check stderr content
before asserting the process exit code: keep the existing reads of
proc.stderr.text() and proc.exited but assert that stderr contains
"regular-package", "3.0.0", and a case-insensitive "minimum release age" first,
and only after those expectations assert expect(exitCode).toBe(1); apply the
same reorder for the other two similar blocks in this test file (the blocks
around the other mentioned ranges that use proc, stderr, and exitCode).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: da0ff362-c6c4-4336-877c-e9b3571f7c17

📥 Commits

Reviewing files that changed from the base of the PR and between f240c84 and 7772a1f.

📒 Files selected for processing (2)

• src/install/PackageManager/PopulateManifestCache.zig
• test/cli/install/minimum-release-age.test.ts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/install/PackageManager/install_with_manager.zig`:
- Around line 794-817: The enforceLockfileAgeFilter() block (guarded by
manager.options.minimum_release_age_ms) must be moved earlier — place the entire
if-block that calls manager.enforceLockfileAgeFilter(), computes violations,
prints the note, resets manager.log, and calls Global.crash() immediately after
resolution verification completes and before
performSecurityScanAfterResolution() and any scanner/lifecycle side effects;
ensure you keep the same checks on manager.log/errors, log_level behavior, and
the remediation message referencing install.minimumReleaseAgeExcludes so the
failure path remains identical but runs before any
security-scanner/network/install work.

In `@test/cli/install/minimum-release-age.test.ts`:
- Around line 1885-1889: Add the same assertion that checks the rejection reason
for the "minimum release age" gate in this non-frozen test: after the existing
expects for stderr containing "regular-package" and "3.0.0" and before asserting
exitCode, add an expectation that stderr includes the "minimum release age"
message (the same string used in the frozen and missing-manifest variants) so
the test verifies the specific gate rather than any generic failure mode; update
the block around the variables stderr and exitCode used in the Promise.all call
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 213d9253-735a-490b-a5dc-5c8d5dabf5ec

📥 Commits

Reviewing files that changed from the base of the PR and between d99d97c and fb8c2c5.

📒 Files selected for processing (2)

• src/install/PackageManager/install_with_manager.zig
• test/cli/install/minimum-release-age.test.ts

[claude]

Additional findings (outside current diff — PR may have been updated during review):

• 🟡 src/install/PackageManager/install_with_manager.zig:800-806 — The errors_before snapshot is captured before enforceLockfileAgeFilter(), but that function's first step is try populateManifestCache(manager, .all) — so any manifest-fetch error runTasks logs (registry 5xx, network failure, parse failure) lands after the snapshot and is counted in violations, contradicting the comment at lines 802-805 and the resolved-thread reply. Have enforceLockfileAgeFilter return an explicit violation count from its own loop (or snapshot log.errors inside it, after populateManifestCache returns) so the remediation note is gated on actual cooldown/fail-closed errors only.

  Extended reasoning...

  What the bug is

  The fix in fb8c2c5 for the earlier review comment snapshots errors_before = manager.log.errors immediately before calling manager.enforceLockfileAgeFilter(), then computes violations = manager.log.errors -| errors_before and gates the remediation note on violations > 0. The accompanying comment at lines 802-805 says this is to "distinguish cooldown violations (added by enforceLockfileAgeFilter) from unrelated errors that populateManifestCache may have funneled into manager.log (e.g. a transient registry 5xx)", and the resolved-thread reply (3222998605) says "Unrelated errors (manifest fetch 5xx, parse failures)… fall through to the generic error output instead of being misattributed to a cooldown violation."

  But enforceLockfileAgeFilter() calls populateManifestCache(manager, .all) internally as its very first step (PopulateManifestCache.zig:175). Any error that populateManifestCache → runTasks deposits into manager.log is therefore logged after errors_before was captured and counts toward violations. The snapshot only filters out errors that pre-existed the enforceLockfileAgeFilter call (e.g. from cleanWithLogger); it does not filter out manifest-fetch errors raised inside it.

  The specific code path

  populateManifestCache drains tasks via runTasks(..., .{ .onPackageManifestError = {}, ... }). With a void onPackageManifestError, runTasks.zig writes directly to manager.log via addErrorFmt at:

  • ~line 191 — non-retryable network failure on a required manifest,
  • ~line 247 — HTTP status > 399 on a required manifest,
  • ~line 612 — manifest parse failure.

  All three increment manager.log.errors after the snapshot at install_with_manager.zig:800 was taken, so all three are counted in violations.

  Why existing code doesn't prevent it

  The snapshot is taken at the call site in installWithManager, one frame above where populateManifestCache runs. There is no second snapshot inside enforceLockfileAgeFilter between the populateManifestCache call and the per-package loop, and enforceLockfileAgeFilter returns !void rather than a count, so the caller has no way to distinguish which errors inside the delta came from the loop vs. from manifest fetching.

  Step-by-step proof

  1. bun.lock pins foo@1.0.0 and foo is listed in minimumReleaseAgeExcludes. minimumReleaseAge is configured.
  2. installWithManager reaches line 800: errors_before = manager.log.errors (say, 0).
  3. enforceLockfileAgeFilter() is called → populateManifestCache(manager, .all) runs → registry returns 503 for foo → runTasks calls manager.log.addErrorFmt("GET … - 503"). manager.log.errors is now 1.
  4. Back in enforceLockfileAgeFilter's loop: byNameHash returns null for foo (no manifest). isExcludedByName("foo", …) is true → continue. The loop adds zero errors of its own.
  5. Control returns to installWithManager. violations = 1 -| 0 = 1. manager.log.hasErrors() is true.
  6. The gate prints error: GET … - 503, then prints note: remove the offending version from bun.lock, raise the bound, or add it to install.minimumReleaseAgeExcludes — for a package that is already in the excludes list and has no cooldown violation. Then Global.crash().

  This is exactly the misattribution the comment claims to prevent.

  Impact

  Diagnostic-quality only — the install correctly fails either way, and the underlying error text (e.g. the 503) is printed first. In the common non-excluded case, the loop's own fail-closed "manifest unavailable" error fires alongside the network error, and two of the note's three remediations (remove from bun.lock / add to excludes) are technically applicable to that fail-closed error, so the note isn't entirely nonsensical there. But the code demonstrably does not do what its comment and the resolved-thread reply say it does, and the excluded-package scenario above produces a purely spurious note.

  How to fix

  Have enforceLockfileAgeFilter return the count of errors its own loop added (incrementing a local var violations: u32 = 0; at each addErrorFmt site and returning it), and gate the note on that. Alternatively, snapshot manager.log.errors inside enforceLockfileAgeFilter after populateManifestCache returns and return the delta. Either way the comment at lines 802-805 should be updated to match.

[claude]

All earlier review feedback has been addressed and I have nothing further to flag, but this is a user-visible behavior change to a supply-chain security gate in the bun install hot path (plus a fail-closed design decision that makes installs network-dependent when minimumReleaseAge is set), so it's worth a maintainer's sign-off.

Extended reasoning...

Overview

This PR closes a bypass in the minimumReleaseAge supply-chain protection: previously the cooldown only applied during version resolution, so any version already pinned in bun.lock would install regardless. The fix adds enforceLockfileAgeFilter() in PopulateManifestCache.zig (~90 new lines) which, after resolution, force-loads extended manifests for every locked npm package via populateManifestCache(.all), looks up each pinned version's publish timestamp, and fails the install if any violate the cooldown (or cannot be verified — fail-closed). The gate is wired into install_with_manager.zig immediately after verifyResolutions and before the security scanner. Docs and tests are updated to match.

Security risks

The change strengthens a security feature rather than weakening one. No new injection/auth/data-exposure surface. The fail-closed behavior on missing manifest/version metadata is the conservative choice for a supply-chain gate. Error messages echo package names/versions from the lockfile into stderr, which is normal for install diagnostics.

Level of scrutiny

High — human review warranted. This is not a mechanical change:

• It flips documented behavior (the old docs explicitly said lockfile-pinned versions were untouched; now they hard-fail), so users who enabled minimumReleaseAge with an existing lockfile may see their next bun install / CI run break.
• When the feature is enabled, every bun install now triggers populateManifestCache(.all), which may fetch extended manifests for every npm package in the lockfile — a latency/network cost that didn't exist before on the locked-install path.
• The fail-closed choice means a transient registry outage or an unpublished version will block installs entirely (with the minimumReleaseAgeExcludes escape hatch as the only workaround). That's defensible for a security gate but is a UX/policy call.

Other factors

The PR has been through several review rounds (CodeRabbit + my own inline comments) and every raised issue — fail-open on missing metadata, --silent handling, bun.handleOom ban-words, violation-count attribution vs. unrelated manifest errors, gate ordering vs. the security scanner, stale docs, and the reversed "raise the bound" hint — has been addressed in subsequent commits. Test coverage is solid (frozen + non-frozen rejection, excludes pass-through, old-enough pass, fail-closed on missing-version). The two CI failures reported by robobun on 09ec15f (bun-install-registry.test.ts on Win-aarch64 and an unrelated http-abort timeout) look like known flakes rather than regressions from this change, but a maintainer should confirm. Given the behavior change and perf/UX trade-offs, this should not be auto-approved.