Fix/pnpm minimum release age#5798
Open
willporter-workos wants to merge 2 commits intomicrosoft:mainfrom
Open
Conversation
willporter-workos
requested review from
apostolisms,
bmiddha,
dmichon-msft,
iclanton,
jxanthony and
octogonz
as code owners
…ignored pnpm does not read these settings from package.json's `pnpm` key. Write them to the generated .npmrc as `minimum-release-age` and `minimum-release-age-exclude[]` instead, which pnpm actually reads. Fixes microsoft#5752
willporter-workos
force-pushed
the
fix/pnpm-minimum-release-age
branch
from
9776295 to
509dcd3
Compare
Author
|
@microsoft-github-policy-service agree company="Microsoft" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Setting
minimumReleaseAgeorminimumReleaseAgeExcludeincommon/config/rush/pnpm-config.jsonhad no effect. pnpm silently ignored these settings, meaning packages could be resolved that were newer than the configured minimum release age. This unintended behavior defeats the security benefit of the feature.The settings were being written to
common/temp/package.jsonunder the pnpm key, but pnpm does not readminimumReleaseAgefrompackage.json. pnpm only reads it from.npmrc(as minimum-release-age) orpnpm-workspace.yaml.Fixes #5752
Details
Removed
minimumReleaseAgeandminimumReleaseAgeExcludefromInstallHelpers.generateCommonPackageJson()— they were written topackage.json's pnpm section, which pnpm does not consult for these settings.Instead,
BaseInstallManager.prepareAsync()now appendsminimum-release-age=<minutes>andminimum-release-age-exclude[]=<package>lines to the generatedcommon/temp/.npmrcvia the existing linesToAppend mechanism. Using linesToAppend (rather than linesToPrepend) ensurespnpm-config.jsonvalues take precedence over any value the user may have also set in their committed.npmrc, consistent with how other Rush pnpm settings behave. A warning is emitted if minimum-release-age is detected in both places.This fix handles both workspace mode (WorkspaceInstallManager) and non-workspace mode (RushInstallManager) since both inherit from BaseInstallManager. The existing pnpm version check warning (requires pnpm >= 10.16.0) was moved to the same location as the fix.
Backwards compatibility: no breaking change. Repos that had minimumReleaseAge set were already getting no effect; they will now get the intended enforcement.
How it was tested
Built and ran the @microsoft/rush-lib test suite via rush test --to @microsoft/rush-lib — all tests pass.
The fix was also manually validated by tracing the code path:
BaseInstallManager.prepareAsync()callsUtilities.syncNpmrc()with the generated lines, which writescommon/temp/.npmrc. pnpm reads minimum-release-age from this file during rush update/rush install.Impacted documentation
The minimumReleaseAgeMinutes field is documented on the pnpm-config.json schema page. No doc change is required since the public API (the pnpm-config.json field) is unchanged — this is purely a bug fix in how the value is propagated to pnpm.