I set up dependabot to match npm's min-release-age
This page has been translated by machine translation. View original
Introduction
Hello everyone, I'm Akaike.
Recently, a feature called min-release-age was added in npm v11.10.0.
This is an effective countermeasure against supply chain attacks that can prevent the installation of packages that have not been published for a certain number of days.
However, if you only set it in .npmrc, Dependabot will still create PRs for new versions, resulting in update PRs for versions that cannot be installed.
So this time, I tried to combine Dependabot's cooldown setting with min-release-age to manage dependencies consistently.
What is min-release-age in npm v11?
The min-release-age added in npm v11.10.0 is a feature that prevents the installation of package versions that have not been published for a specified number of days.
It's equivalent to pnpm's minimumReleageAge feature.
The setup is as simple as adding it to .npmrc.
min-release-age=21
In this case, versions published less than 21 days ago will be excluded from installation candidates.
You can also specify it from the command line.
npm install --min-release-age=21
Is min-release-age alone not enough?
Setting min-release-age in .npmrc protects npm install on local and CI environments.
However, this alone can cause inconsistencies with Dependabot.
For example, in cases like this:
- Dependabot creates an update PR for the latest version right after publication
- The PR is merged, but that version is blocked by
min-release-ageduringnpm install - The build fails because the version recorded in
package-lock.jsoncannot be installed
To avoid these issues, we need to set a similar waiting period on the Dependabot side.
Dependabot's cooldown setting
In 2025, a cooldown feature was added to Dependabot.
This feature allows you to set a waiting period from when a new package version is published until a PR is created.
cooldown:
default-days: 21
semver-major-days: 21
semver-minor-days: 21
semver-patch-days: 21
You can specify waiting days for each semver category.
This time, I unified all to a 21-day cooldown to match .npmrc's min-release-age=21.
Note that if semver-XXXXX-days is undefined, default-days is used as a fallback, so if all categories have the same number of days, just default-days is sufficient.
In this case, I've explicitly specified all options to introduce the configurable options.
Configuration Examples
Here, I'll introduce the actual configuration using my personal portfolio repository as an example.
.npmrc
Just specify min-release-age.
min-release-age=21
.github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
time: "09:00"
timezone: "Asia/Tokyo"
open-pull-requests-limit: 10
reviewers:
- "Lamaglama39"
labels:
- "dependencies"
commit-message:
prefix: "chore(deps)"
groups:
# Update React-related packages together
react:
patterns:
- "react"
- "react-dom"
- "react-router"
- "@react-router/*"
- "@react-three/*"
- "three"
- "@types/three"
# Update build tools together
build-tools:
patterns:
- "vite"
- "vite-*"
- "rollup"
- "@rollup/*"
- "esbuild"
- "typescript"
- "@tailwindcss/*"
- "tailwindcss"
# Update Cloudflare-related packages together
cloudflare:
patterns:
- "wrangler"
- "@cloudflare/*"
- "miniflare"
# Update type definitions together
types:
patterns:
- "@types/*"
exclude-patterns:
- "@types/three"
versioning-strategy: "increase"
# Cooldown settings matching .npmrc's min-release-age=21
# Security updates bypass the cooldown
cooldown:
default-days: 21
semver-major-days: 21
semver-minor-days: 21
semver-patch-days: 21
Let me explain some key points of the configuration.
Align cooldown and min-release-age days
Setting min-release-age=21 and cooldown.default-days: 21 to the same number of days ensures that Dependabot creates PRs at the same time packages become installable via npm install.
Use groups for efficient PR management
Using groups to bundle related packages helps reduce the number of PRs.
Since updates tend to accumulate with cooldown settings, grouping works well with this approach.
I divided them into 4 groups:
| Group | Target Packages | Reason |
|---|---|---|
| react | react, react-dom, react-router, three, etc. | Strong interdependencies, better to update together |
| build-tools | vite, typescript, tailwindcss, etc. | Better to verify build-related tools together |
| cloudflare | wrangler, @cloudflare/*, etc. | Group deployment-related packages |
| types | @types/* (excluding @types/three) | Type definitions have less impact, can be updated together |
three and @types/three have strong dependencies, so they're grouped with react instead of types.
In the types group, exclude-patterns is used to exclude @types/three to prevent duplication.
Specify increase for versioning-strategy
Specifying versioning-strategy: "increase" raises version constraints in package.json as needed.
For example, it will update from "^1.0.0" to "^1.2.0", increasing the min version and reducing the risk of installing older versions in CI.
Actual Notifications
Here's how Dependabot PRs looked after configuration.
A PR was created for the build-tools group, updating 5 packages including vite and tailwindcss together.
The commit message also reflects the configured chore(deps) prefix.
Looking at the tailwindcss tag page, v4.2.0 was released about 3 weeks ago.
We can see that the PR was created after the 21-day cooldown period had passed.
Conclusion
That's how I configured Dependabot to align with npm's min-release-age.
It's quite simple to implement as it just requires aligning .npmrc and Dependabot settings.
As a countermeasure against supply chain attacks, I recommend adopting this even for personal projects.
I hope this article has been helpful to you.