New command for recursively listing security violations

[karlhorky]

Contribution

• I'd be willing to implement this feature (contributing guide)

Describe the user story

1. Project configures minimumReleaseAge: 10080 (7 days)

2. New critical security fix of Next.js appears which is newer than 7 days

3. User attempts to upgrade to new Next.js version

4. ERR_PNPM_NO_MATURE_MATCHING_VERSION error appears for a package not yet added to minimumReleaseAgeExclude (starting with next, continuing on with @next/env, @next/swc-darwin-arm64, etc), eg:

   $ pnpm add next@15.5.9
    ERR_PNPM_NO_MATURE_MATCHING_VERSION  No matching version found for next@15.5.9 published by Tue Jan 13 2026 10:38:05 GMT+0100 (Central European Standard Time) while fetching it from https://registry.npmjs.org/. Version 3.8.0 satisfies the specs but was released at Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
   
   This error happened while installing a direct dependency of /Users/k/p/project
   
   The latest release of next is "15.5.9". Published at 1/15/2026
   
   Other releases are:
     ...
   
   If you need the full list of all ... published versions run "$ pnpm view next versions".
   
   If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude

5. User attempts to edit pnpm-workspace.yaml to configure minimumReleaseAgeExclude with the package mentioned, such as:
   pnpm-workspace.yaml

   minimumReleaseAgeExclude:
     - next@15.5.9

6. User attempts to run pnpm install again, but another error occurs - loop back up to step 3 again, over and over 💥 until all of the packages have been added to minimumReleaseAgeExclude, as shown below

The final list of packages I needed to configure for Next.js 15.5.9:

minimumReleaseAgeExclude:
  # - https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
  # - https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
  # - https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
  # - https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4
  - next@15.5.9
  - '@next/env@15.5.9'
  - '@next/mdx@15.5.9'
  - '@next/swc-darwin-arm64@15.5.9'
  - '@next/swc-darwin-x64@15.5.9'
  - '@next/swc-linux-arm64-gnu@15.5.9'
  - '@next/swc-linux-arm64-musl@15.5.9'
  - '@next/swc-linux-x64-gnu@15.5.9'
  - '@next/swc-linux-x64-musl@15.5.9'
  - '@next/swc-win32-arm64-msvc@15.5.9'
  - '@next/swc-win32-x64-msvc@15.5.9'

Describe the solution you'd like

A new security command listing all of the security violations of a package and its dependencies. Violations --policy flag includes minimumReleaseAge, trustPolicy: 'no-downgrade', etc.:

$ pnpm violations next@15.5.9 --policy minimumReleaseAge --depth Infinity
Violations for policy minimumReleaseAge: Packages not published by Tue Jan 13 2026 10:38:05 GMT+0100 (Central European Standard Time)

  - next@15.5.9 # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/env@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/mdx@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/swc-darwin-arm64@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/swc-darwin-x64@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/swc-linux-arm64-gnu@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/swc-linux-arm64-musl@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/swc-linux-x64-gnu@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/swc-linux-x64-musl@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/swc-win32-arm64-msvc@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
  - '@next/swc-win32-x64-msvc@15.5.9' # Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)

This output could be copied into the minimumReleaseAgeExclude config.

Or reusing pnpm audit by extending it, or pnpm audit-package could be the name:

pnpm audit next@15.5.9 --policy minimumReleaseAge --depth Infinity
# or
pnpm audit-package next@15.5.9 --policy minimumReleaseAge --depth Infinity

Describe the drawbacks of your solution

Maybe maintenance effort over time?

Describe alternatives you've considered

1. minimumReleaseAgeExclude: withTransitives option #10488
2. pnpm config set 'minimiumReleaseAgeExclude[]' next --depth Infinity --location project - first requires pnpm config set to support non-primitives

cc @tats-u

[karlhorky]

@zkochan I'm talking with the Renovate team now about their failing security update PRs and how to programmatically edit minimumReleaseAgeExclude recursively (including immature transitive deps):

• [bug] Automatic merges of `minimumReleaseAgeExclude` security PRs with artifact update problems renovatebot/renovate#43266 (reply in thread)

The current approach of "looping over pnpm install and parsing + acting on any ERR_PNPM_NO_MATURE_MATCHING_VERSION errors that occur" is not great DX.

It would be great to get an API for this with better DX (like this issue proposes).

[karlhorky]

The Renovate team now opened an issue and will investigate implementing a loop of pnpm install + parse version from ERR_PNPM_NO_MATURE_MATCHING_VERSION error + configure minimumReleaseAgeExclude:

• pnpm: add transitive deps to minimumReleaseAgeExclude renovatebot/renovate#43328

I still think pnpm itself should have this loop built in or pnpm should have better tools for listing all security violations, but until then, it appears users and automation will need to loop like this.