`minimumReleaseAge` not enforced when dependency already exists in lockfile

[SecretX33]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

No response

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Describe the Bug

The minimumReleaseAge configuration option is not enforced when running pnpm install (or its variants with --fix-lockfile, --frozen-lockfile, --lockfile-only) if the lockfile already contains a dependency version that violates the constraint. This means that once a violating version is present in pnpm-lock.yaml, pnpm allows installation to proceed without validation, effectively bypassing the minimumReleaseAge protection.

This behavior is inconsistent with other security-related flags like strictDepBuilds, which validates configuration constraints regardless of whether dependencies existed in the lockfile before the flag was enabled.

Reproduction steps

I conducted tests to see in what scenarios pnpm didn't behave as expected, and their reproduction steps are outlined in their respective test scenario.

Test Environment

OS: Windows 11 (version 25H2 build 26200.7462)
pnpm version: 10.27.0
Test package: zod

• Version 4.3.4: Older than minimumReleaseAge ✅
• Version 4.3.5: Newer than minimumReleaseAge ❌

Configuration:

minimumReleaseAge: 10080 # 7 days in minutes

Table summarizing test cases and results

Test Case	Scenario	Command	Lockfile Exists (zod version installed)	Respects minimumReleaseAge
1a	Fresh install of violating version	pnpm add zod@4.3.5	No	✅ (blocked)
1b	Fresh install of violating version	pnpm add zod@4.3.5	Yes (none)	✅ (blocked)
2	Reinstalling exiting violating version	pnpm add zod@4.3.5	Yes (4.3.5)	❌
3	Upgrade to latest (violating)	pnpm add zod@latest	Yes (4.3.4)	✅ (blocked)
4	Upgrade to specific violating version	pnpm add zod@4.3.5	Yes (4.3.4)	✅ (blocked)
5a	Manual package.json edit	pnpm install	Yes (4.3.4)	✅ (blocked)
5b	Manual package.json edit	pnpm install --fix-lockfile	Yes (4.3.4)	✅ (blocked)
5c	Manual package.json edit	pnpm install --frozen-lockfile	Yes (4.3.4)	✅ (blocked)
5d	Manual package.json edit	pnpm install --lockfile-only	Yes (4.3.4)	✅ (blocked)
6a	Lockfile already contains violating version	pnpm install	Yes (4.3.5)	❌
6b	Lockfile already contains violating version	pnpm install --fix-lockfile	Yes (4.3.5)	❌
6c	Lockfile already contains violating version	pnpm install --frozen-lockfile	Yes (4.3.5)	❌
6d	Lockfile already contains violating version	pnpm install --lockfile-only	Yes (4.3.5)	❌

Legend

• ✅ = Works as expected, command respects minimumReleaseAge
• ❌ = Bug, command does not respect minimumReleaseAge

Test scenarios

Click to expand

The library I'm testing with is zod, where the version 4.3.4 is older than the configured minimumReleaseAge, and version 4.3.5 is newer than the configured minimumReleaseAge and thus is invalid.

Test scenario 1: dependency doesn't exist in lockfile, and I try to install a version that violates the minimumReleaseAge

• I run pnpm add zod@4.3.5
• The command fails with Version 4.3.5 (released 6 days ago) of zod does not meet the minimumReleaseAge constraint ✅

Test scenario 2: dependency exists in lockfile (4.3.5), and I try to reinstall the same version that violates the minimumReleaseAge

• zod@4.3.5 is already installed (present in pnpm-lock.yaml)
• I try to reinstall the same zod version 4.3.5 using pnpm add zod@4.3.5
• The command completes successfully, and zod@4.3.5 remains installed ❌

Test scenario 3: dependency exists in lockfile, and I try to upgrade it to the latest version (would violate the minimumReleaseAge)

• zod@4.3.4 is already installed (present in pnpm-lock.yaml)
• I try to upgrade zod to version 4.3.5 using pnpm add zod@latest
• zod version does not get upgraded, because 4.3.5 is newer than the configured minimumReleaseAge ✅

Test scenario 4: dependency exists in lockfile (4.3.4), and I try to upgrade it to a version that violates the minimumReleaseAge

• zod@4.3.4 is already installed (present in pnpm-lock.yaml)
• I try to upgrade zod to version 4.3.5 using pnpm add zod@4.3.5
• The command fails with Version 4.3.5 (released 6 days ago) of zod does not meet the minimumReleaseAge constraint ✅

Test scenario 5: dependency exists in lockfile, and I try to upgrade it to a version that violates the minimumReleaseAge

• zod@4.3.4 is already installed (present in pnpm-lock.yaml)
• I try to upgrade zod to version 4.3.5 by manually editing package.json, and then run:
  • pnpm install: correctly fails with Version 4.3.5 (released 6 days ago) of zod does not meet the minimumReleaseAge constraint ✅
  • pnpm install --fix-lockfile: correctly fails with Version 4.3.5 (released 6 days ago) of zod does not meet the minimumReleaseAge constraint ✅
  • pnpm install --frozen-lockfile: correctly fails with ERR_PNPM_OUTDATED_LOCKFILE Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>\package.json ✅
  • pnpm install --lockfile-only: correctly fails with Version 4.3.5 (released 6 days ago) of zod does not meet the minimumReleaseAge constraint ✅

Test scenario 6: run pmpn install where the lockfile has a version that violates minimumReleaseAge

• Temporarily remove minimumReleaseAge from pnpm-workspace.yaml
• Install a version that violates the minimumReleaseAge using pnpm add zod@4.3.5
• Re-add minimumReleaseAge to pnpm-workspace.yaml and then run:
  • pnpm install: gladly completes even though there's a version that violates minimumReleaseAge ❌
  • pnpm install --fix-lockfile: gladly completes even though there's a version that violates minimumReleaseAge ❌
  • pnpm install --frozen-lockfile: gladly completes even though there's a version that violates minimumReleaseAge ❌
  • pnpm install --lockfile-only: gladly completes even though there's a version that violates minimumReleaseAge ❌

Expected Behavior

I believe the minimumReleaseAge constraint should be validated during all install operations, including when dependencies already exist in the lockfile. Specifically:

• pnpm add should fail with an error when trying to add a version that violates minimumReleaseAge, regardless of whether the lockfile already contains that specific version or not
• pnpm install should fail with an error when the lockfile contains versions that violate minimumReleaseAge
• pnpm install --fix-lockfile should fail with an error when the lockfile contains versions that violate minimumReleaseAge
• pnpm install --frozen-lockfile should fail with an error when the lockfile contains versions that violate minimumReleaseAge
• pnpm install --lockfile-only should fail with an error when the lockfile contains versions that violate minimumReleaseAge

This would ensure consistent security posture and prevent scenarios where teams enable minimumReleaseAge but continue using recently-released (and potentially vulnerable) versions that were installed before the constraint was added.

Motivation for Fixing the Bug

This is a very frequent scenario for folks migrating to pnpm from other package managers - this is exactly what happened with my at the company I work for, we migrated from yarn to pnpm and a few days later we learned about pnpm's security measures against supply chain attacks, so we enabled all the options including minimumReleaseAge right away to enhance our security.

However, since our pnpm-lock.yaml already contained some dependencies that violated the minimumReleaseAge, we were effectively not protected by this configuration after enabling it until we accidentally changed zod version in one of our projects, then found out about this bug.

Conclusion

Fixing this bug would ensure that teams adopting pnpm can immediately benefit from the security features without worrying about existing lockfile entries bypassing the intended protections. I would personally love to get immediate feedback after enabling minimumReleaseAge that some of our dependencies are too new, so we can take action to remediate the issue right away - and not what pnpm is doing right now, which is to silently allow the installation of violating versions if they already exist in the lockfile.

AI analysis

I took the initiative and ran an AI analysis (using Claude Opus 4.5) on the issue description to see if it could provide any additional insights.

Here is the its analysis results, and feel free to disregard it entirely if you find it unhelpful: MINIMUM_RELEASE_AGE_BUG_ANALYSIS.md

Which Node.js version are you using?

22.21.1

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

[SuperP4rks]

I think this is linked #10361

[Netail]

I gotta disagree.

Let's say we have minimumReleaseAge on 12 hours and want to patch a dependency with a critical vulnerability (CVE lvl 10 - Like next.js recently). We try to install the package 30 min after release, so we will be hit with the minimumReleaseAge. In that case we comment the minimumReleaseAge out, install dependencies, so it's in package-lock, then we uncomment the minimumReleaseAge again and push the changes. If more people are working on the branch, they will not be bothered by the minimumReleaseAge error.

Else you might get ±10 people complaining on not being able to install dependencies as they are thrown with an error (Not everyone is aware of the setting)

[SecretX33]

@Netail there's a configuration specifically for this scenario called minimumReleaseAgeExclude, which looks like this:

minimumReleaseAge: 1440
minimumReleaseAgeExclude:
- next       # the 'next' package
- '*react*'  # anything that contains 'react'
- 'some-lib@1.2.3'  # allows ONLY version 1.2.3 to bypass `minimumReleaseAge`

Instead of relying on "tricks" such as the one you mentioned to get your package installed in the version you want, you can explicitly mark the packages you want as "I trust this package and I want to be able to install its updates as soon as they are released". Adding a package to this list is as fast as "commenting out minimumReleaseAge temporarily" solution you proposed, but it's a much better solution IMO.

We could include in the scope of this Issue to add an explicit mention of the minimumReleaseAgeExclude as an option to bypass minimumReleaseAge in its error message to improve people's awareness of this setting.

As far as I see, minimumReleaseAge is meant to be another layer of safety. If we allow minimumReleaseAge to be bypassed by simply commenting it out (even if temporarily) and not enforcing it once it's enabled back, what's the point of having it in the first place?

[Netail]

That's true, but that also feels like a trick, to temporarily add a package there. As we prefer to only exclude internal packages, as all packages from outside should all be considered as a risk. The supply chain attacks were also on famous packages

[ryo-manba]

This seems to be by design.

In #8889, @zkochan explained:

If you have an already up to date lockfile, pnpm skips resolution, so this check is skipped.

See: #8889 (comment)

Workarounds are:

• pnpm install --resolution-only
• Or remove pnpm-lock.yaml, node_module and reinstall

[SecretX33]

This seems to be by design.

In #8889, @zkochan explained:

If you have an already up to date lockfile, pnpm skips resolution, so this check is skipped.

See: #8889 (comment)

Hmm, even if it's by design, I’m not convinced the design is sound.

On my machine, both pnpm install and pnpm install --resolution-only take roughly the same amount of time, about ~1.2s, in a repository where all dependencies are already installed and up to date.

This can mean one of two things:

1. pnpm install is skipping the resolution step, but doing so does not result in any meaningful time savings. In that case, I would argue it would make more sense not to skip resolution, since running it helps catch issues with packages (such as the issue reported in this Issue).

2. pnpm install is skipping the resolution step and saving up to ~1.2s. However, that does not seem like a significant gain when compared to the safety always running resolution and ensuring that all dependencies - installed or otherwise - comply with the restrictions defined in pnpm-workspace.yaml (like minimumReleaseAge, trustPolicy, etc).

I also looked at the source code. If I read it correctly, if pnpm install were to run resolution and then follow the non-frozen linkPackages path, some of the data computed in one part could be reused into the other, which means that running full resolution step on pnpm install would result in it taking at most the time of the two combined, which would be 2.4s, which is still negligible IMO given the benefits.

Even if the maintainers don't want to do it this way, I'd argue that at least an option could be added to allow the users to make this choice: do they want to save up to 1.2s on their pnpm install, or do they want safety at all times?

[gsouf]

that's a huge security flaw. We were trusting pnpm to check for us the min-age, exotic sub-deps, etc.. until we realized that it's not the case if it already exist in the lockfile and you're simply installing.

I agree that the design is not sound.

We're basically left with no security enforcement.

---

Example:

A developer is annoyed with these guidelines. They disable it locally. They install a new package, it goes to the lockfile. They commit the lockfile, open a PR.

We review the PR, we trust pnpm to catch in CI if something is wrong, but it does not. BOOM you're infected with a malware in your CI, or in production.

---

I believe that at the very minimum pnpm install --frozen-lockfile should run all checks by default, otherwise many people will get caught by the design decision.

[theoludwig]

Yes, and it's even more important today, in this sad era of supply chain attacks: TanStack/router#7383

pnpm should help protecting us, minimumReleaseAge is a good idea for it, so let's enforce it for everything, there should be no way to skip it, unless explicitly set in pnpm-workspace.yaml, consciously by the user (or by their team, in case it's already in git/in the config).