Convert `npm` `min-release-age` to equivalent Cooldown options

[yeikel]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Dependabot should read the min-release-age from the npmrc configuration and convert it internally to the equivalent cooldown value. This would allow projects to keep their existing npm onfiguration without manual translation while ensuring consistent update.

Additional context

See npm/cli#8965

[iBotPeaches]

Probably in theory should be true for any ecosystem. It made sense at one point when tooling didn't offer it, but having to manage a Dependabot cooldown and an ecosystem specific cooldown is two sources of truth. Would be swell as you said for Dependabot to eat the cooldown/release-age of any ecosystem for its own.

Maybe its opt-in with like inherit, maybe its automated.

[woodruffw]

I think this would be really great, and IMO should be done wherever the underlying ecosystem already supports cooldowns (like uv and soon pip as well).

From the perspective of a tool that checks for cooldown usage in Dependabot: an explicit opt-in like cooldown: inherit would be ideal, to avoid annoying users with false-positives when Dependabot gets its information from an external source 🙂

[yeikel]

Probably in theory should be true for any ecosystem. It made sense at one point when tooling didn't offer it, but having to manage a Dependabot cooldown and an ecosystem specific cooldown is two sources of truth. Would be swell as you said for Dependabot to eat the cooldown/release-age of any ecosystem for its own.

Maybe its opt-in with like inherit, maybe its automated.

It’s worth noting that Dependabot currently provides more features than the native tools so some sort of partial conversion makes sense to start, I think

[yeikel]

I think this would be really great, and IMO should be done wherever the underlying ecosystem already supports cooldowns (like uv and soon pip as well).

I opted to create separate issues because each ecosystem is a separate module and can be handled by different people. I think that it may make sense to create another issue for pip(after it is released) as well as a "meta" issue to track the overall work. Or, we can just simply track each issue individually

Related issues:

• Yarn: Yarn 4.10+ - Support npmMinimalAgeGate and npmPreapprovedPackages  #14134
• uv : Convert exclude-newer and exclude-newer-package to Dependabot's cooldown equivalents for the uv ecosystem #13816