test(outdated): add regression test for minimumReleaseAge

[timhaines]

Adds a regression test for #11698. The underlying fix already shipped as part of #11705 (which removed strictPublishedByCheck entirely and routed maturity decisions through policyViolation), so this PR now lands only the dedicated test that locks in the behavior.

What the test covers

deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts:

• Baseline — without an age policy, pnpm outdated reports is-negative@2.1.0 as an available upgrade (sanity check that the fixture actually has outdated deps).
• Regression — with minimumReleaseAge set to a cutoff so far in the past that every published version is immature, pnpm outdated reports nothing: exitCode === 0 and 2.1.0 does not appear. Before feat: tighten minimumReleaseAge — auto-exclude, lockfile verification, and interactive prompt #11705 this test went red because the non-strict resolver fallback re-picked the immature latest ignoring publishedBy.

The allImmatureMinimumReleaseAge = Date.now() / (60 * 1000) trick (cutoff = epoch in minutes) is date-independent and matches the technique already used in the install-side minimumReleaseAge suite.

Why a test-only PR

The original PR proposed flipping strictPublishedByCheck in createManifestGetter, but #11705 deleted that option entirely and replaced it with an always-defer model (policyViolation flows through ResolveResult → getManifest returns null on MINIMUM_RELEASE_AGE_VIOLATION). The test was the durable contribution; preserving it as a regression gate is worth keeping.

---

Written by an agent (Claude Code, claude-opus-4-7).

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a Jest test module validating that pnpm outdated respects the minimumReleaseAge configuration. The test creates a fixture-based setup, then exercises the outdated handler twice: once without the age setting (confirming an available upgrade is reported) and once with an all-immature cutoff (confirming the immature version is excluded from the output).

Changes

Outdated Maturity Age Test Coverage

Layer / File(s)	Summary
Test setup, baseline case, and regression validation deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts	Test fixture configuration and handler options are defined. loadHasOutdatedDeps() helper and allImmatureMinimumReleaseAge constant prepare the test environment. Baseline test validates that outdated reports upgrades without minimumReleaseAge. Regression test validates that upgrades are not reported when minimumReleaseAge is set with a far-past cutoff, confirming immature versions are filtered.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• pnpm/pnpm#11436: Updates how minimumReleaseAgeStrict is derived when minimumReleaseAge is explicitly set, directly affecting the conditions under which this test validates behavior.

• pnpm/pnpm#11664: Modifies createManifestGetter to compute publishedBy from minimumReleaseAge policy, which is the underlying code change that this test validates.

Suggested labels

area: supply chain security

Suggested reviewers

• zkochan

Poem

🐰 A test hopped into the repo today,
To check that versions old enough will stay—
No rushing fresh ones that break the rules,
minimumReleaseAge keeps the tools,
Security and patience, combined at last! 🌙

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR implements the exact fix proposed in #11698: setting strictPublishedByCheck to Boolean(opts.minimumReleaseAge) to unconditionally respect minimumReleaseAge in outdated reports, with tests validating both baseline and regression scenarios.
Out of Scope Changes check	✅ Passed	The changes are narrowly scoped: only adding a test file for the minimumReleaseAge behavior in outdated command, directly addressing the issue without introducing unrelated modifications.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a regression test for the minimumReleaseAge feature in the outdated command.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[timhaines]

@zkochan treat this more as a solid repro with the test if you want. Feel welcome to close the PR and reimplement it rather than talk me through making it perfect (assuming the issue itself is valid).

[coderabbitai]

🧹 Nitpick comments (1)

deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts (1)

74-86: ⚡ Quick win

Consider asserting exitCode for more complete validation.

Since allImmatureMinimumReleaseAge makes every version immature, the expected behavior is that outdated finds no upgradeable packages at all. The test currently only verifies that 2.1.0 doesn't appear, but adding an assertion that exitCode is 0 would confirm the complete intended behavior: no outdated packages reported when all versions are within the maturity window.

🧪 Suggested enhancement

 test('pnpm outdated honors minimumReleaseAge: immature newer versions are not offered', async () => {
   loadHasOutdatedDeps()
 
-  const { output } = await outdated.handler({
+  const { output, exitCode } = await outdated.handler({
     ...OUTDATED_OPTIONS,
     dir: process.cwd(),
     minimumReleaseAge: allImmatureMinimumReleaseAge,
   })
 
   // 2.1.0 is far newer than the (epoch) cutoff, so a correct age filter must
   // not present it as an available upgrade.
   expect(stripAnsi(output)).not.toContain('2.1.0')
+  // With all versions immature, no packages should be reported as outdated.
+  expect(exitCode).toBe(0)
 })

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts` around
lines 74 - 86, The test "pnpm outdated honors minimumReleaseAge: immature newer
versions are not offered" currently only asserts that '2.1.0' is not in output;
update the assertion to also verify the handler returned a successful exit by
asserting the returned result's exitCode is 0 (the call to outdated.handler that
spreads OUTDATED_OPTIONS with dir/process.cwd() and minimumReleaseAge:
allImmatureMinimumReleaseAge returns { output, exitCode }). Add an assertion
like expect(exitCode).toBe(0) after the call to ensure no upgradeable packages
were reported.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts`:
- Around line 74-86: The test "pnpm outdated honors minimumReleaseAge: immature
newer versions are not offered" currently only asserts that '2.1.0' is not in
output; update the assertion to also verify the handler returned a successful
exit by asserting the returned result's exitCode is 0 (the call to
outdated.handler that spreads OUTDATED_OPTIONS with dir/process.cwd() and
minimumReleaseAge: allImmatureMinimumReleaseAge returns { output, exitCode }).
Add an assertion like expect(exitCode).toBe(0) after the call to ensure no
upgradeable packages were reported.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c3244fd2-27f6-47a0-ac1b-64659cbb0f2d

📥 Commits

Reviewing files that changed from the base of the PR and between 3ddde2b and 3851b4f.

📒 Files selected for processing (3)

• .changeset/outdated-minimum-release-age-strict.md
• deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts
• deps/inspection/outdated/src/createManifestGetter.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: Use Standard Style with modifications: trailing commas are used, functions are preferred over classes, functions are declared after they are used (hoisting is relied upon).
Functions should have no more than two or three arguments. If a function needs more parameters, use a single options object instead.
Maintain import order: (1) Standard libraries, (2) External dependencies (sorted alphabetically), (3) Relative imports.

Files:

• deps/inspection/outdated/src/createManifestGetter.ts
• deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts

**/*.test.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use instanceof Error for error type checking in Jest tests. Use util.types.isNativeError() instead, as Jest runs tests in a VM context where instanceof checks can fail across realms.

Files:

• deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts

🧠 Learnings (1)

📚 Learning: 2026-05-14T09:04:00.133Z

Learnt from: zkochan
Repo: pnpm/pnpm PR: 11622
File: resolving/npm-resolver/test/publishedBy.test.ts:350-354
Timestamp: 2026-05-14T09:04:00.133Z
Learning: In the pnpm/pnpm repository, ESLint is the authoritative style linter. Do not raise review findings for missing trailing commas in multiline function calls (e.g., `fs.writeFileSync(...)`) when this repo’s ESLint configuration does not report them and lint passes. Prefer deferring to the ESLint results for this specific trailing-comma rule rather than enforcing it manually in code review.

Applied to files:

• deps/inspection/outdated/src/createManifestGetter.ts
• deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts

🔇 Additional comments (4)

deps/inspection/outdated/src/createManifestGetter.ts (1)

32-39: LGTM!

deps/inspection/commands/test/outdated/minimumReleaseAge.test.ts (2)

1-32: LGTM!

---

34-45: LGTM!

.changeset/outdated-minimum-release-age-strict.md (1)

1-8: LGTM!

[welcome]

Congrats on merging your first pull request! 🎉🎉🎉