Allow `minimumReleaseAge` to additionally trust the minimum "Patched Versions" in `pnpm audit`/GitHub Advisory Database (optionally)

[tats-u]

Contribution

• I'd be willing to implement this feature (contributing guide)

Describe the user story

1. pnpm audit or Dependabot reports vulnerabilities in your repositories/packages
2. However, all patched versions written there are too new to be updated to due to minimumReleaseAge, so you cannot suppress the alert by pnpm up right now
3. You have to wait until these versions mature

Describe the solution you'd like

A new option in pnpm-workspace.yaml to allow the minimum patched version shown in pnpm audit or GitHub Advisory in pnpm-workspace.yaml.
These versions are often for vulnerability fix, supervised by vulnerability reporters, or/and safer than the other versions.

Update: transitive dependencies that block the installation of those packages should be allowed too, but only the not-yet-deprecated oldest versions.

Describe the drawbacks of your solution

Packages authors might have committed mistakes in these versions and immediately released hotfix versions.

Describe alternatives you've considered

• Time will solve everything but your application or package (or its dependents) might be attacked while waiting.
• Add entries in minimumReleaseAgeExclude just for one day, which produces extra commits.

[tats-u]

e.g. if you pass minimumReleaseAge: 14400, your application is vulnerable using RSC/Next.js to the React2Shell until tomorrow. You have to add extra entries in minimumReleaseAgeExclude in pnpm-workspace.yaml and remove it and remove it tomorrow just for this update.

[ryansobol]

I understand the friction of having to add exclusions and then remove them after the cooldown expires—as a developer, I totally get that it feels like unnecessary duplicate commits.

However, I'd respectfully disagree with automatically trusting patch versions within the cooldown period. This would create a significant loophole that attackers could exploit.

Real-world examples where attackers have used patch versions:

• Shai-Hulud 2.0 (November 2025): Compromised packages published malicious code across patch, minor, and major versions
• Chalk/Debug attack (September 2025): Attackers published malicious versions using patch bumps to appear less suspicious
• event-stream incident (2018): The malicious code was introduced in what appeared to be a routine patch update

Attackers specifically target patch versions because:

1. They trigger fewer alerts (developers assume patches are just bugfixes)
2. Automated dependency tools often auto-update patches
3. Code review is less rigorous for "minor" version bumps

The whole point of minimumReleaseAge is to create a detection window. If we exempt patch versions, we're essentially saying "we trust that maintainer accounts can't be compromised during routine patching"—which is exactly when they're most vulnerable.

Yes, security controls add friction. That's by design. Those who opt-in are trading a bit of convenience (manual exclusions for critical patches) for peace of mind that they're not creating attack vectors. The friction is the feature, not a bug to work around.

If a critical security patch truly needs immediate installation, adding it to minimumReleaseAgeExclude after review is the right workflow—it forces conscious decision-making rather than implicit trust.

[tats-u]

If we exempt patch versions, we're essentially saying "we trust that maintainer accounts can't be compromised during routine patching"

My suggestion is to trust GitHub Security Advisory's suggestion and make it possible to upgrade our packages following one.

[eps1lon]

However, I'd respectfully disagree with automatically trusting patch versions within the cooldown period. This would create a significant loophole that attackers could exploit.

GitHub security advisories, as well as CVEs, are reviewed first. They can't just be filed by anybody who can publish a npm release. So the maintainer would have to be compromised, release a new version with a new vulnerability, file a CVE against that new patch and then release the patch with the actual malicious code. Seems like this process would add enough cooldown period already.

If a critical security patch truly needs immediate installation, adding it to minimumReleaseAgeExclude after review is the right workflow—it forces conscious decision-making rather than implicit trust.

The problem with this option is that people will likely keep that in. So now the dependency is forever trusted slowly eroding the point of minimumReleaseAge. minimumReleaseAgeExclude would only be a safe recommendation if you could exclude a specific version.

[karlhorky]

Haven't yet had time to compile my thoughts on the solution proposed here, but I'm glad that there's discussions starting about the problem 👍

@eps1lon and I were talking today about how the DX of minimumReleaseAge + minimumReleaseAgeExclude is not smooth when it comes to excluding new versions of packages with security releases, such as the new Next.js versions fixing the CVE-2025-66478 vulnerability, which required at least this config (maybe more):

# Prevents installation of packages newer than 7 days
# to mitigate supply chain risks
# - https://pnpm.io/settings#minimumreleaseage
minimumReleaseAge: 10080

minimumReleaseAgeExclude:
  # https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
  - next@15.5.7
  - '@next/env@15.5.7'
  - '@next/swc-darwin-arm64@15.5.7'
  - '@next/swc-linux-x64-gnu@15.5.7'
  - '@next/swc-linux-x64-musl@15.5.7'

It would be great to improve the DX of upgrading to security fix versions which are newer than the minimumReleaseAge config.

Some alternative solutions (none of them fixing the entire problem) would be:

1. Make it possible to exclude all transitive dependencies of a package with new minimumReleaseAgeExclude syntax, such as - withTransitives: next@15.5.7 minimumReleaseAgeExclude: withTransitives option #10488
2. Make the DX better for adding to minimumReleaseAgeExclude config pnpm config set for array and object values #10015
3. Make bots like Renovate also edit minimumReleaseAgeExclude for users feat(pnpm): add minimumReleaseAgeExclude for security updates renovatebot/renovate#39168, originally from Configure pnpm `minimumReleaseAgeExclude` with exact versions for security updates renovatebot/renovate#38766

cc @zkochan

[zkochan]

minimumReleaseAgeExclude would only be a safe recommendation if you could exclude a specific version.

You can exclude exact versions as you can see in the message from karlhorky.

I honestly don't see the problem. Yes, it is inconvenient to list all those exclude rules but if you actually take the time to investigate how serious the reported vulnerability is and whether your project/application is affected by it, then adding the actual exclude rules is a fraction of the time you spend. Also, if you find out that the vulnerability is not a problem in your case, then you can ignore it with the settings that pnpm provides.

[tats-u]

  - '@next/swc-darwin-arm64@15.5.7'
  - '@next/swc-linux-x64-gnu@15.5.7'
  - '@next/swc-linux-x64-musl@15.5.7'

You forgot at least packages targeted at x64 and ARM64 Windows and ARM64 Linux. It is a problem that such a exclude list cannot cover all potential development/testing environments.

[zkochan]

You forgot at least packages targeted at x64 and ARM64 Windows and ARM64 Linux. It is a problem that such a exclude list cannot cover all potential development/testing environments.

That's probably related to this: #10289

[karlhorky]

You forgot at least packages targeted at x64 and ARM64 Windows and ARM64 Linux

Indeed, this is the bumpy part of the minimumReleaseAgeExclude setting - having to try installs out on every possible environment and then see if there are any newer transitive dependencies which need to also be excluded.

---

Also, pnpm doesn't raise an error for packages in optionalDependencies which are newer than the minimumReleaseAge (in my experience during the upgrade to next@15.5.7, these packages were just removed from the lockfile). Then later, the omission of these from the lockfile causes unusual / broken behavior on different environments.

Edit: Oh, thanks @zkochan, I didn't see that issue + PR, that's the behavior I was describing with the "Also ..." paragraph above 👍 :

• minimumReleaseAge silently dropping optionalDependencies not passing the age criteria #10270
• fix: don't silently skip an optional dependency if it cannot be resolved from a mature version #10289

It doesn't completely remove the bumpy experience, but adding the error message is a good start to avoid the problem that happened for me!

[tom-sherman]

I agree that minimumReleaseAge can be a bit of a headache for recently released security patches but adding additional constraints (or in the case of this suggested fix, loosening a constraint) is not the solution. The beauty of minimumReleaseAge is in it's simplicity, adding more complex rules reduces it's utility, and therefore it's security, dramatically.

All that to say that do see the value in a policy that takes into account GitHub advisories, but this should be added in a separate, new strategy and not overloaded onto minimumReleaseAge.

[tats-u]

That current error messages that keep popping up over and over when pnpm up/pnpm i are just like the boy who cried wolf. Users will eventually give up investigating into offending packages and immediately add them to minimulReleaseAgeExclude without a doubt.

[zkochan]

We can have a "minimumReleaseAgeLoose" setting, which would allow to pick a version that doesn't satisfy the maturity requirement if none of the "mature" versions satisfy the range.