# pnpm v11 minimumReleaseAge Causes Dependabot CI Failures ─ Root Cause, Workarounds, and Upstream Status Summary

# pnpm v11 minimumReleaseAge Causes Dependabot CI Failures ─ Root Cause, Workarounds, and Upstream Status Summary

I have summarized the causes, workarounds, and upstream discussion status regarding the issue where CI fails due to transitive dependencies (such as caniuse-lite) when combining pnpm v11's minimumReleaseAge feature with Dependabot.
2026.07.11

This page has been translated by machine translation. View original

Introduction

In a project upgraded to pnpm v11, CI for PRs created by Dependabot suddenly started failing.

[ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION] 1 lockfile entries failed verification:
  caniuse-lite@1.0.30001802 was published at 2026-07-06T04:58:52.000Z,
  within the minimumReleaseAge cutoff (2026-07-05T09:23:26.106Z)

Not a directly-depended package, but the transitive dependency caniuse-lite is being judged as "too recently published" and installation is being rejected.

This is caused by the supply chain protection feature minimumReleaseAge introduced in pnpm v11. In this article, I investigated why this happens, what workarounds are available, and the status of upstream discussions.

Prerequisites / Environment

  • pnpm: v11 (minimumReleaseAge enabled by default)
  • CI: GitHub Actions (pnpm install --frozen-lockfile)
  • Dependency management: Dependabot (version updates)
  • Problematic package: caniuse-lite (transitive dependency via browserslist, new versions published almost daily)

What is minimumReleaseAge

This is a supply chain attack mitigation feature introduced in pnpm v11. It rejects installation of packages that have not been published for a certain amount of time.

  • Default value: 1440 minutes (24 hours)
  • Purpose: Since malicious packages are often detected and removed within a few hours of publication, a "cooling period" is set to prevent damage
  • Configuration location: pnpm-workspace.yaml (pnpm-specific settings in .npmrc are not read in pnpm v11)
pnpm-workspace.yaml
# Default is 1440 (minutes). Set to 0 to disable
minimumReleaseAge: 1440

SCR-20260711-nkct

Why This Becomes a Problem with Dependabot

How It Occurs

  1. Dependabot detects a new version of a directly-depended package and creates a PR
  2. When creating the PR, the lockfile is regenerated with pnpm install → transitive dependencies are resolved to the latest version
  3. At that point, the latest version of caniuse-lite happened to have been published just a few hours earlier
  4. The generated lockfile records the "just published" version
  5. CI runs pnpm install --frozen-lockfile → lockfile verification → ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION

pnpm-11-minimum-release-age-dependabot-ci-failure-flow

Fundamental Design Issue

This is the crux of the matter. pnpm's minimumReleaseAge is designed as verify-after-resolve.

pnpm-11-minimum-release-age-dependabot-ci-failure-resolver

In other words, the problem is that the resolver does not fall back to an older version that satisfies the condition instead of the version judged as "too new".

Another Trap with --frozen-lockfile

--frozen-lockfile only validates the lockfile contents and does not re-resolve. If the lockfile generated in Dependabot's runner environment contains a too-new version, there is nothing that can be done on the CI side. It is a validation-only code path with no room for fallback in the first place.

Comparison of Workarounds

Workaround Works for transitive deps? Protection level Operational cost
Exclude specific packages with minimumReleaseAgeExclude High (only targeted exclusion) Medium (add each time)
Dependabot cooldown setting High Low
Disable with minimumReleaseAge: 0 None Low
pnpm-exclude-newer tool High High
Wait and re-run High High (up to 48 hours)

1. minimumReleaseAgeExclude (Most Practical)

Exclude specific packages from the policy in pnpm-workspace.yaml.

pnpm-workspace.yaml
minimumReleaseAgeExclude:
  - caniuse-lite

caniuse-lite is updated almost daily and is the Can I Use database, so the risk of supply chain attacks is low. Excluding it in a targeted manner is a practical compromise.

However, this is not a fundamental solution. Today it happened with caniuse-lite, but tomorrow the same thing could happen with another frequently-updated package.

2. Dependabot cooldown Setting

.github/dependabot.yml
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    cooldown:
      default-days: 3
      semver-patch-days: 2

Dependabot waits a certain period after detecting a new version before creating a PR. However, this only delays the timing of PR creation for direct dependencies. It does not solve the problem of transitive dependencies being resolved to the latest version during pnpm install at PR creation time.

3. pnpm-exclude-newer

pnpm-exclude-newer is a tool that starts a local registry mirror and generates a lockfile with versions published after a cutoff date hidden. It provides pnpm with functionality equivalent to uv's --exclude-newer.

pnpm dlx pnpm-exclude-newer

It is the only tool where age restrictions apply to all dependencies including transitive ones, but since Dependabot cannot execute custom install commands, integrating it into Dependabot's workflow is practically impossible.

4. Wait and Re-run

The default for minimumReleaseAge is 24 hours, but if a package is published immediately after Dependabot generates the lockfile, factoring in the time lag until CI runs (waiting for PR creation, queue wait, etc.), there are cases where you may need to wait up to about 48 hours from publication. It will naturally pass once enough time has elapsed.

Upstream Status

Issue Content Status
#10100 Fallback failure across major versions ✅ Fixed in v10.20.0
#11203 Fallback failure within the same range (the problem in this article) 🔴 Open · No PR
#11068 Transitive dependency violates minimumReleaseAge 🔴 Open · No PR
#13405 Convert pnpm's minimumReleaseAge to Dependabot's cooldown 🔴 Open

What Was Fixed vs What Remains Unfixed

#10100 (cross-major-version) was fixed in v10.20.0. For example, if lodash@5.0.0 is too new, it falls back to lodash@4.17.21.

However, #11203 (within the same range) remains unfixed. If lodash@4.18.1 is too new, it should fall back to lodash@4.18.0 within the same range, but currently it falls back to the older lodash@4.17.23. It should be addressable as a natural extension of the #10100 fix, but no one has submitted a PR yet.

Is It Worth Submitting a PR

The resolver fix (fallback within the same range) can reference the existing fix from #10100, and the scope of changes would be limited. However, since the --frozen-lockfile validation path is a separate code path, handling that requires separate consideration.

It seems best to comment on the Issue to confirm the maintainers' approach before starting work on a PR.

Summary

  • pnpm v11's minimumReleaseAge is an important supply chain protection feature, but there is a design gap where fallback for transitive dependencies is not implemented
  • In combination with Dependabot, CI randomly fails due to transitive dependencies that users cannot control (such as caniuse-lite)
  • For now, the workaround of excluding frequently-updated packages with minimumReleaseAgeExclude is the most practical
  • A fundamental fix requires implementing resolver fallback on the pnpm side (#11203)
  • If you have encountered a similar issue, you can contribute to raising the upstream priority by adding 👍 or comments to the Issue

Share this article