Skip to content

build(deps): add Dependabot cooldown to clear the pnpm age gate#108

Merged
markdumay merged 1 commit into
mainfrom
fix/dependabot-cooldown
Jul 13, 2026
Merged

build(deps): add Dependabot cooldown to clear the pnpm age gate#108
markdumay merged 1 commit into
mainfrom
fix/dependabot-cooldown

Conversation

@markdumay

Copy link
Copy Markdown
Contributor

Problem

Since the pnpm migration, .npmrc sets minimum-release-age=1440 (24h). pnpm enforces this against lockfile entries at install time, not only at resolution. Dependabot writes the new version into the lockfile without honoring .npmrc, so any Dependabot PR for a package published less than 24h ago fails CI on pnpm install --frozen-lockfile:

[ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION] 1 lockfile entries failed verification:
  semantic-release@25.0.7 was published at 2026-07-13T05:23:55.000Z,
  within the minimumReleaseAge cutoff (2026-07-12T11:43:23.903Z)

It fails on every OS/Node combination and blocks auto-merge. Live examples: gethinode/mod-utils#341, gethinode/mod-blocks#153.

Fix

Mirror the install policy in the Dependabot policy via cooldown, rather than weakening either side.

The invariant: Dependabot's cooldown must be strictly greater than pnpm's minimum-release-age. Cooldown is day-granular and 1440 minutes is exactly 1 day, so default-days: 2 is the smallest safe value.

Mirrors this repo's install policy: .npmrc#minimum-release-age=1440 and pnpm-workspace.yaml#minimumReleaseAgeExclude.

Config validated against the official Dependabot JSON schema.

Notes

  • Uses the build type deliberately, so semantic-release does not cut a release for a CI-config-only change.
  • Dependabot security updates ignore cooldown by design; those can still trip the gate and self-heal on re-run after 24h.

Part of an org-wide sweep (25 repos). Reference: gethinode/hinode#2009.

🤖 Generated with Claude Code

Dependabot writes new versions into the lockfile without honoring .npmrc, so CI failed on
`pnpm install --frozen-lockfile` with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION whenever a release
was less than 24h old.

Add a 2-day cooldown to the npm ecosystem. Cooldown is day-granular, so it must be strictly
greater than minimum-release-age (1440 min = 1 day).

Uses the build type deliberately: this is CI config with no user-facing change, so it must not
cut a release.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@markdumay markdumay merged commit c2e2a75 into main Jul 13, 2026
8 checks passed
@markdumay markdumay deleted the fix/dependabot-cooldown branch July 13, 2026 14:19
@markdumay

Copy link
Copy Markdown
Contributor Author

🎉 This PR is included in version 2.0.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant