Skip to content

build(deps): add Dependabot cooldown to clear the pnpm age gate#2009

Merged
markdumay merged 1 commit into
mainfrom
fix/dependabot-cooldown
Jul 13, 2026
Merged

build(deps): add Dependabot cooldown to clear the pnpm age gate#2009
markdumay merged 1 commit into
mainfrom
fix/dependabot-cooldown

Conversation

@markdumay

Copy link
Copy Markdown
Collaborator

Problem

Since the pnpm migration, .npmrc sets minimum-release-age=1440 (24h). pnpm enforces this against lockfile entries at install time, not only at resolution time. Dependabot writes the new version into pnpm-lock.yaml without honoring .npmrc, so every Dependabot PR for a package published less than 24h ago fails CI on pnpm install --frozen-lockfile:

[ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION] 1 lockfile entries failed verification:
  semantic-release@25.0.7 was published at 2026-07-13T05:23:55.000Z,
  within the minimumReleaseAge cutoff (2026-07-12T11:43:23.903Z)

This fails on every OS/Node combination and blocks auto-merge. Live examples: gethinode/mod-utils#341, gethinode/mod-blocks#153.

Fix

Mirror the install policy in the Dependabot policy via cooldown, rather than weakening either side.

The invariant: Dependabot's cooldown must be strictly greater than pnpm's minimum-release-age. Cooldown is day-granular and 1440 minutes is exactly 1 day, so default-days: 2 is the smallest safe value. cooldown.exclude mirrors pnpm-workspace.yaml#minimumReleaseAgeExclude so the two policies stay in step.

Verified the config parses and validates against the official Dependabot JSON schema (default-days and exclude are both legal keys).

Scope

24 repos carry minimum-release-age=1440 + an npm Dependabot ecosystem and none has a cooldown. This PR does hinode; mod-template (the seed for new modules) gets the same change so the bug isn't inherited. The remaining 22 follow once this is proven green.

Note

Dependabot security updates ignore cooldown by design, so a security PR for a very fresh release can still trip the gate. Those are rare and self-heal on re-run after 24h.

🤖 Generated with Claude Code

Dependabot writes new versions into pnpm-lock.yaml without honoring .npmrc, so CI failed on
`pnpm install --frozen-lockfile` with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION whenever a release
was less than 24h old.

Add a 2-day cooldown to the npm ecosystem, mirroring the install policy. Cooldown is day-granular,
so it must be strictly greater than minimum-release-age (1440 min = 1 day). The exclude list
mirrors pnpm-workspace.yaml#minimumReleaseAgeExclude.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@netlify

netlify Bot commented Jul 13, 2026

Copy link
Copy Markdown

Deploy Preview for gethinode-demo ready!

Name Link
🔨 Latest commit 8010641
🔍 Latest deploy log https://app.netlify.com/projects/gethinode-demo/deploys/6a54e344708b880008f2a100
😎 Deploy Preview https://deploy-preview-2009--gethinode-demo.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@markdumay markdumay merged commit 5e493a1 into main Jul 13, 2026
16 checks passed
This was referenced Jul 13, 2026
@markdumay

Copy link
Copy Markdown
Collaborator Author

🎉 This PR is included in version 3.0.3 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant