Skip to content

fix(deps): add Dependabot cooldown to clear the pnpm age gate#872

Merged
markdumay merged 1 commit into
mainfrom
fix/dependabot-cooldown
Jul 13, 2026
Merged

fix(deps): add Dependabot cooldown to clear the pnpm age gate#872
markdumay merged 1 commit into
mainfrom
fix/dependabot-cooldown

Conversation

@markdumay

Copy link
Copy Markdown
Contributor

Problem

Since the pnpm migration, .npmrc sets minimum-release-age=1440 (24h). pnpm enforces this against lockfile entries at install time, not only at resolution time. Dependabot writes the new version into pnpm-lock.yaml without honoring .npmrc, so every Dependabot PR for a package published less than 24h ago fails CI on pnpm install --frozen-lockfile:

[ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION] 1 lockfile entries failed verification:
  semantic-release@25.0.7 was published at 2026-07-13T05:23:55.000Z,
  within the minimumReleaseAge cutoff (2026-07-12T11:43:23.903Z)

This fails on every OS/Node combination and blocks auto-merge. Live examples: gethinode/mod-utils#341, gethinode/mod-blocks#153.

Fix

Mirror the install policy in the Dependabot policy via cooldown, rather than weakening either side.

The invariant: Dependabot's cooldown must be strictly greater than pnpm's minimum-release-age. Cooldown is day-granular and 1440 minutes is exactly 1 day, so default-days: 2 is the smallest safe value. cooldown.exclude mirrors pnpm-workspace.yaml#minimumReleaseAgeExclude so the two policies stay in step.

Verified the config parses and validates against the official Dependabot JSON schema.

Why here

mod-template is the seed repo for new modules, so fixing it stops the defect from being inherited by every module created from now on. Companion PR: gethinode/hinode#2009. The other 22 affected repos follow once this is proven green.

🤖 Generated with Claude Code

Dependabot writes new versions into pnpm-lock.yaml without honoring .npmrc, so CI failed on
`pnpm install --frozen-lockfile` with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION whenever a release
was less than 24h old.

Add a 2-day cooldown to the npm ecosystem, mirroring the install policy. Cooldown is day-granular,
so it must be strictly greater than minimum-release-age (1440 min = 1 day). The exclude list
mirrors pnpm-workspace.yaml#minimumReleaseAgeExclude.

As the seed repo for new modules, this keeps the defect from being inherited.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@markdumay markdumay merged commit 37f0204 into main Jul 13, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant