minimumReleaseAgeExclude: `withTransitives` option

[karlhorky]

Contribution

• I'd be willing to implement this feature (contributing guide)

Describe the user story

1. Project configures minimumReleaseAge: 10080 (7 days)

2. New critical security fix of Next.js appears which is newer than 7 days

3. User attempts to upgrade to new Next.js version

4. ERR_PNPM_NO_MATURE_MATCHING_VERSION error appears for a package not yet added to minimumReleaseAgeExclude (starting with next, continuing on with @next/env, @next/swc-darwin-arm64, etc), eg:

   $ pnpm add next@15.5.9
    ERR_PNPM_NO_MATURE_MATCHING_VERSION  No matching version found for next@15.5.9 published by Tue Jan 13 2026 10:38:05 GMT+0100 (Central European Standard Time) while fetching it from https://registry.npmjs.org/. Version 3.8.0 satisfies the specs but was released at Thu Jan 15 2026 00:56:17 GMT+0100 (Central European Standard Time)
   
   This error happened while installing a direct dependency of /Users/k/p/project
   
   The latest release of next is "15.5.9". Published at 1/15/2026
   
   Other releases are:
     ...
   
   If you need the full list of all ... published versions run "$ pnpm view next versions".
   
   If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude

5. User attempts to edit pnpm-workspace.yaml to configure minimumReleaseAgeExclude with the package mentioned, such as:
   pnpm-workspace.yaml

   minimumReleaseAgeExclude:
     - next@15.5.9

6. User attempts to run pnpm install again, but another error occurs - loop back up to step 3 again, over and over 💥 until all of the packages have been added to minimumReleaseAgeExclude, as shown below

The final list of packages I needed to configure for Next.js 15.5.9:

minimumReleaseAgeExclude:
  # - https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
  # - https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
  # - https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
  # - https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4
  - next@15.5.9
  - '@next/env@15.5.9'
  - '@next/mdx@15.5.9'
  - '@next/swc-darwin-arm64@15.5.9'
  - '@next/swc-darwin-x64@15.5.9'
  - '@next/swc-linux-arm64-gnu@15.5.9'
  - '@next/swc-linux-arm64-musl@15.5.9'
  - '@next/swc-linux-x64-gnu@15.5.9'
  - '@next/swc-linux-x64-musl@15.5.9'
  - '@next/swc-win32-arm64-msvc@15.5.9'
  - '@next/swc-win32-x64-msvc@15.5.9'

Describe the solution you'd like

Allow specifying withTransitives for entries to minimumReleaseAgeExclude, to also exclude transitive dependencies coming from dependencies of a particular version of a package:

minimumReleaseAgeExclude:
  - withTransitives: next@15.5.9

In many cases, if a user adds next@16.2.4 to minimumReleaseAgeExclude, that means that they implicitly trust it. That trust could be propagated to all transitive dependencies too with this withTransitives option.

Prior art

The propagation of trust is similar to the Content-Security-Policy strict-dynamic source expression, which specifies:

the trust explicitly given to a script present in the markup ... shall be propagated to all the scripts loaded by that root script

Describe the drawbacks of your solution

Performance: I'm not sure, but maybe this is expensive?

Describe alternatives you've considered

1. pnpm config set 'minimiumReleaseAgeExclude[]' next --depth Infinity --location project - first requires pnpm config set to support non-primitives
2. pnpm violations next@15.5.9 --policy minimumReleaseAge --depth Infinity New command for recursively listing security violations #10489

cc @tats-u

[tats-u]

We might as well allow a glob in the name of a package within a namespace:

  - '@next/swc-*@15.5.9'

  - 'remark-*@1.2.3' # NO! Everyone can publish packages whose names start wtih "remark-"!

[karlhorky]

That's a nice addition!

I think still having the option to specify that all transitives should be excluded is also helpful though.

[zkochan]

Fixed via #11234

[karlhorky]

@zkochan how does it fix this issue?

The problem:

1. Project does not want a loose mode
2. Next.js new security release appears, which should be installed immediately using minimumReleaseAgeExclude
3. minimumReleaseAgeExclude is configured for next
4. pnpm fails recursively in a loop until all transitive dependencies are discovered and added to minimumReleaseAgeExclude 💥

I can't see how PR #11234 will allow projects to stay strict but avoid the loop

[zkochan]

I don't understand. Can you explain how possibly loose mode is dangerous? It only ignores the minimumReleaseAge requirement if no version satisfies the range. Realistically you can only get such range from a package that you allowed via minimumReleaseAgeExclude. If you really want to be stricter, maybe you should use something like sfw.

[karlhorky]

Can you explain how possibly loose mode is dangerous?

From the description in PR #11234, it sounds like minimumReleaseAgeStrict: false (default) is dangerous:

• When false (default), pnpm falls back to versions that don't meet the minimumReleaseAge constraint if no mature versions satisfy the range being resolved
• Set to true to preserve the previous strict behavior (error when no mature version matches)

For example, given the following minor version bump from next@16.2.2 to next@16.2.3 (using pinned dependencies - this change may even possibly be automated using Renovate or Dependabot or similar), there is no error protecting against the new 16.2.3 version being installed before the 7 day minimumReleaseAge:

pnpm-workspace.yaml

minimumReleaseAge: 10080
minimumReleaseAgeStrict: false # default

package.json diff (change may be automated using Renovate, Dependabot, etc)

-  "next": "16.2.2", // released 12 days ago
+  "next": "16.2.3", // released 4 days ago

This will not error, right? Or have I misread the PR description?

So for teams using pinned dependencies with automated version updates, minimumReleaseAgeStrict: false would actually make minimumReleaseAge useless.

---

To be clear, this issue #10488 proposes to keep the error for next@16.2.3 and that teams wanting strictness should add this minimal config - the strictness and the minimal config is desirable ✅

minimumReleaseAgeExclude:
  # - https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3
  - next@16.2.3

The point is, requiring users to loop over running pnpm install multiple times to identify each and every newer transitive dependency to write the complicated config lines below is time consuming and annoying ❌

minimumReleaseAgeExclude:
  # - https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3
  - next@16.2.3
  - '@next/env@16.2.3'
  - '@next/swc-darwin-arm64@16.2.3'
  - '@next/swc-darwin-x64@16.2.3'
  - '@next/swc-linux-arm64-gnu@16.2.3'
  - '@next/swc-linux-arm64-musl@16.2.3'
  - '@next/swc-linux-x64-gnu@16.2.3'
  - '@next/swc-linux-x64-musl@16.2.3'
  - '@next/swc-win32-arm64-msvc@16.2.3'
  - '@next/swc-win32-x64-msvc@16.2.3'

It also blocks Renovate and other automation from excluding all of those transitive dependencies in their security update PRs (which then requires manual work from maintainers to identify all of the transitive dependencies and add those complicated config lines):

• feat(pnpm): update minimumReleaseAgeExclude for security updates renovatebot/renovate#40020 (comment)
• Failing automated security update PR (even though Renovate configured minimumReleaseAgeExclude[]: next@16.2.3): fix(deps): update dependency next to v16.2.3 [security] upleveled/next-portfolio-dev#172

Proposals from this issue

That's why I'm proposing something like this withTransitives flag in this issue #10488, which would exclude all transitive dependencies of next from the release age check, but retain strict checks for the other dependencies and transitive dependencies:

minimumReleaseAgeExclude:
  # Exclude next@16.2.3 and any transitive deps of next@16.2.3 newer than `minimumReleaseAge` (skip the error)
  - withTransitives: next@16.2.3

It is like minimumReleaseAgeStrict: false, but exclusively for the transitive dependencies of explicitly-configured packages. Errors are skipped and non-mature packages installed, but ONLY for the transitives of next@16.2.3.

With your new terminology in PR #11234, maybe a better name would be looseTransitives:

minimumReleaseAgeExclude:
  # Exclude next@16.2.3 and any transitive deps of next@16.2.3 newer than `minimumReleaseAge` (skip the error)
  - looseTransitives: next@16.2.3

Or, following your "default loose" logic in PR #11234, make loose transitives the default for excludes and require a flag like strictTransitives for minimumReleaseAgeExclude packages which should raise errors on all non-mature transitive dependencies.

minimumReleaseAgeExclude:
  # Exclude next@16.2.3 and any transitive deps of next@16.2.3 newer than `minimumReleaseAge` (skip the error)
  - next@16.2.3
  # Exclude ONLY react@19.2.5, error on any transitive deps newer than `minimumReleaseAge`
  - strictTransitives: react@19.2.5

[zkochan]

For example, given the following minor version bump from next@16.2.2 to next@16.2.3 (using pinned dependencies - this change may even possibly be automated using Renovate or Dependabot or similar), there is no error protecting against the new 16.2.3 version being installed before the 7 day minimumReleaseAge:

To update the pinned version you'd have to either manually update the version in package.json, run "pnpm add next@16.2.3" or have renovate update it (which also has an option to set maturity I believe). Hence, I don't understand how this is dangerous.

[karlhorky]

or have renovate update it (which also has an option to set maturity I believe)

Security updates bypass minimumReleaseAge:

• https://docs.renovatebot.com/key-concepts/minimum-release-age/#what-happens-to-security-updates

This is also true for Dependabot.

Hence, I don't understand how this is dangerous.

1. minimumReleaseAgeStrict: false skips checks which teams may rely upon (eg. while updating to a pinned version)

2. minimumReleaseAgeStrict: true places more work on maintainers when security updates come in, and is a bad DX

3. the workflow is broken with automation - did you look at the broken PR that I posted above?

   fails with ERR_PNPM_NO_MATURE_MATCHING_VERSION  Version 16.2.3 (released 2 days ago) of @next/swc-darwin-x64 does not meet the minimumReleaseAge constraint, even though Renovate knows how to update minimumReleaseAgeExclude

   • fix(deps): update dependency next to v16.2.3 [security] upleveled/next-portfolio-dev#172
   

4. more subjectively, the DX feels kind of broken in all cases: no way to get strictness with pinned versions without also the bad looping DX