{"slug": "configuring-minimum-release-age-across-npm-pnpm-and-yarn", "title": "Configuring minimum release age across npm, pnpm, and yarn", "summary": "Setting a minimum release age (cooldown) on dependencies is a low-effort, high-impact defense against supply-chain attacks, as most malicious packages are detected and removed within hours. All three major Node.js package managers (npm, pnpm, and yarn) support this feature, but each uses different configuration names and units—npm uses days, while pnpm and yarn use minutes. The article provides specific configuration instructions for each tool, noting known bugs and the importance of also setting cooldown periods independently in Renovate or Dependabot to avoid PRs that cannot be installed.", "body_md": "# Configuring minimum release age across npm, pnpm, and yarn\n\nSetting a minimum release age (a \"cooldown\") on dependencies is a cheap, high-leverage defense against supply-chain attacks. Most malicious package versions are detected and yanked within hours, so a 24-hour delay filters out the smash-and-grab incidents (axios 1.14.1, ua-parser-js, Solana web3.js, etc.).\n\nAll three major Node.js package managers now support this, but each one used a different name and a different unit. Here is what you need.\n\n## Minimum versions\n\n| Tool   | Setting                | Unit                     | Introduced in           |\n|--------|------------------------|--------------------------|-------------------------|\n| npm    | `min-release-age`      | days                     | npm CLI **11.10.0** (Feb 2026) |\n| pnpm   | `minimumReleaseAge`    | minutes                  | pnpm **10.16** (Sep 2025); default `1440` since pnpm **11.0** |\n| Yarn   | `npmMinimalAgeGate`    | minutes (numeric)        | Yarn Berry **4.10.0**   |\n\nA note on Yarn: the docs advertise duration strings like `\"7d\"`, but there's a known parsing bug (yarnpkg/berry#6991) where day suffixes were silently ignored. Until that's resolved everywhere, pass minutes as a number. 1 day = `1440`.\n\n## npm — per-project\n\nAdd to `.npmrc` in the project root:\n\n```ini\nmin-release-age=1\n```\n\nThe value is in days. Do not combine with `--before` in the same invocation — npm errors out if both are present.\n\n## npm — locally (user-wide)\n\n```bash\nnpm config set min-release-age 1 --location=user\n```\n\nThis writes to `~/.npmrc`. Use `--location=global` if you want it in the global npm config instead.\n\n## pnpm — per-project\n\nPut it in `pnpm-workspace.yaml` (this is the canonical place since pnpm 11; in earlier versions `.npmrc` also works):\n\n```yaml\nminimumReleaseAge: 1440\n```\n\nOptional, if you have internal packages you want to bypass the gate:\n\n```yaml\nminimumReleaseAge: 1440\nminimumReleaseAgeExclude:\n  - '@platformatic/*'\n```\n\nIf you're still on pnpm 10.x, the `.npmrc` form is:\n\n```ini\nminimum-release-age=1440\n```\n\nHeads-up: on pnpm 10.x there's a known bug where `minimumReleaseAge` is silently ignored if any package in the workspace has `shared-workspace-lockfile=false` in its `.npmrc` (pnpm/pnpm#10008). Worth checking.\n\n## pnpm — locally (user-wide)\n\n```bash\npnpm config set minimumReleaseAge 1440 --location=user\n```\n\nOn pnpm 11+, non-auth settings like this go into `~/.config/pnpm/config.yaml` rather than `~/.npmrc`.\n\n## Yarn (Berry 4.10+) — per-project\n\nIn `.yarnrc.yml`:\n\n```yaml\nnpmMinimalAgeGate: 1440\n```\n\nIf you have packages that must bypass the gate:\n\n```yaml\nnpmMinimalAgeGate: 1440\nnpmPreapprovedPackages:\n  - \"@platformatic/*\"\n```\n\n`npmPreapprovedPackages` accepts both glob patterns and exact locators (e.g. `@aws-sdk/types@3.877.0`), which is more flexible than pnpm's package-name-only exclusions.\n\n## Yarn — locally (user-wide)\n\n```bash\nyarn config set --home npmMinimalAgeGate 1440\n```\n\n`--home` writes to `~/.yarnrc.yml` instead of the project-local file.\n\n## A few caveats worth knowing\n\nThe cooldown is enforced at install time, not at update-suggestion time. If you're using Renovate or Dependabot, configure their `minimumReleaseAge` / `cooldown` independently — otherwise they'll keep opening PRs you can't actually install. Renovate 42's `config:best-practices` preset already sets a 3-day default for npm; Dependabot's `cooldown.default-days` is the equivalent.\n\nNone of these tools currently let you scope the gate per registry, so internal packages from a private registry get held back along with everything else unless you put them in the exclusion list (npm doesn't have one yet — there's an open issue, #8994).\n\nThe defaults will likely shift soon: pnpm 11 already turned this on by default at 1440 minutes, and npm CLI v12 is expected to do the same. Setting it explicitly now means your config keeps working unchanged when defaults move.", "url": "https://wpnews.pro/news/configuring-minimum-release-age-across-npm-pnpm-and-yarn", "canonical_source": "https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104", "published_at": "2026-04-30 09:41:24+00:00", "updated_at": "2026-05-22 14:44:35.968812+00:00", "lang": "en", "topics": ["developer-tools", "cybersecurity", "open-source"], "entities": ["npm", "pnpm", "yarn", "axios", "ua-parser-js", "Solana", "Yarnpkg", "Platformatic"], "alternates": {"html": "https://wpnews.pro/news/configuring-minimum-release-age-across-npm-pnpm-and-yarn", "markdown": "https://wpnews.pro/news/configuring-minimum-release-age-across-npm-pnpm-and-yarn.md", "text": "https://wpnews.pro/news/configuring-minimum-release-age-across-npm-pnpm-and-yarn.txt", "jsonld": "https://wpnews.pro/news/configuring-minimum-release-age-across-npm-pnpm-and-yarn.jsonld"}}