Skip to content

fix(arborist): apply min-release-age-exclude on reify fallback#9716

Open
Sanjays2402 wants to merge 1 commit into
npm:latestfrom
Sanjays2402:fix/issue-9715
Open

fix(arborist): apply min-release-age-exclude on reify fallback#9716
Sanjays2402 wants to merge 1 commit into
npm:latestfrom
Sanjays2402:fix/issue-9715

Conversation

@Sanjays2402

Copy link
Copy Markdown

Description

When omit-lockfile-registry-resolved=true is set, the lockfile is written with the resolved URL stripped from registry deps. On npm ci (or subsequent npm i runs that hit the reify fallback), #extractOrLink reaches the !node.resolved branch and rebuilds a name@version spec so pacote can re-fetch the packument.

That fallback spec goes through pickManifest, which honors before. Once min-release-age is set (which flows through to before), pacote throws ETARGET for the pinned version even though the package name is in min-release-age-exclude. The exemption logic is only applied in build-ideal-tree's #releaseAgeBefore, not on the reify fallback path, so the user-configured exclude is effectively ignored during install.

This change mirrors #releaseAgeBefore at the reify site: on the !node.resolved fallback, if the package name matches min-release-age-exclude, before is dropped from the pacote options so the excluded package installs as the user asked. Behavior is unchanged for packages that are not in the exclude list, for lockfile entries that still have resolved, and when before is not set at all.

Existing Issue

Fixes #9715

Screenshots

N/A (behavioral bug in the CLI, no UI surface).

AI disclosure

Written with the assistance of Claude. I have reviewed the diff and the test and take responsibility for the code.

Test Coverage

Added a regression test in workspaces/arborist/test/arborist/reify.js that reifies from a lockfile with the resolved URL stripped and before set to a date that excludes the pinned version. It covers four cases:

  • Baseline: no min-release-age-excludeETARGET (documents the existing filter behavior).
  • Exact name in min-release-age-exclude → pinned version installs.
  • Glob pattern in min-release-age-exclude → pinned version installs.
  • Non-matching min-release-age-excludeETARGET (exemption is scoped to matched names only).

Verified both directions locally: on latest without the fix, the two "matching exclude" subtests fail with ETARGET; with the fix, all four subtests pass. The existing min-release-age-exclude exempts matched packages from the before filter tests in build-ideal-tree.js and the weirdly broken lockfile without resolved value reify test continue to pass.

When omit-lockfile-registry-resolved=true, the lockfile has no `resolved`
URL so #extractOrLink falls back to a name@version registry spec. Pacote
resolves that via pickManifest which honors `before`, so a package pinned
in the lockfile can throw ETARGET even when its name is in
min-release-age-exclude. Mirror #releaseAgeBefore in build-ideal-tree and
drop `before` for excluded packages on this fallback path.

Fixes: npm#9715
@Sanjays2402 Sanjays2402 requested review from a team as code owners July 3, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] "min-release-age-exclude" not working with "omit-lockfile-registry-resolved"

1 participant