
# pnpm v11 minimumReleaseAge Causes Dependabot CI Failures ─ Root Cause, Workarounds, and Upstream Status Summary
This page has been translated by machine translation. View original
Introduction
In a project upgraded to pnpm v11, CI for PRs created by Dependabot suddenly started failing.
[ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION] 1 lockfile entries failed verification:
caniuse-lite@1.0.30001802 was published at 2026-07-06T04:58:52.000Z,
within the minimumReleaseAge cutoff (2026-07-05T09:23:26.106Z)
Not a directly-depended package, but the transitive dependency caniuse-lite is being judged as "too recently published" and installation is being rejected.
This is caused by the supply chain protection feature minimumReleaseAge introduced in pnpm v11. In this article, I investigated why this happens, what workarounds are available, and the status of upstream discussions.
Prerequisites / Environment
- pnpm: v11 (
minimumReleaseAgeenabled by default) - CI: GitHub Actions (
pnpm install --frozen-lockfile) - Dependency management: Dependabot (version updates)
- Problematic package:
caniuse-lite(transitive dependency viabrowserslist, new versions published almost daily)
What is minimumReleaseAge
This is a supply chain attack mitigation feature introduced in pnpm v11. It rejects installation of packages that have not been published for a certain amount of time.
- Default value: 1440 minutes (24 hours)
- Purpose: Since malicious packages are often detected and removed within a few hours of publication, a "cooling period" is set to prevent damage
- Configuration location:
pnpm-workspace.yaml(pnpm-specific settings in.npmrcare not read in pnpm v11)
# Default is 1440 (minutes). Set to 0 to disable
minimumReleaseAge: 1440

Why This Becomes a Problem with Dependabot
How It Occurs
- Dependabot detects a new version of a directly-depended package and creates a PR
- When creating the PR, the lockfile is regenerated with
pnpm install→ transitive dependencies are resolved to the latest version - At that point, the latest version of
caniuse-litehappened to have been published just a few hours earlier - The generated lockfile records the "just published" version
- CI runs
pnpm install --frozen-lockfile→ lockfile verification →ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION

Fundamental Design Issue
This is the crux of the matter. pnpm's minimumReleaseAge is designed as verify-after-resolve.

In other words, the problem is that the resolver does not fall back to an older version that satisfies the condition instead of the version judged as "too new".
Another Trap with --frozen-lockfile
--frozen-lockfile only validates the lockfile contents and does not re-resolve. If the lockfile generated in Dependabot's runner environment contains a too-new version, there is nothing that can be done on the CI side. It is a validation-only code path with no room for fallback in the first place.
Comparison of Workarounds
| Workaround | Works for transitive deps? | Protection level | Operational cost |
|---|---|---|---|
Exclude specific packages with minimumReleaseAgeExclude |
✅ | High (only targeted exclusion) | Medium (add each time) |
Dependabot cooldown setting |
❌ | High | Low |
Disable with minimumReleaseAge: 0 |
✅ | None | Low |
pnpm-exclude-newer tool |
✅ | High | High |
| Wait and re-run | ✅ | High | High (up to 48 hours) |
1. minimumReleaseAgeExclude (Most Practical)
Exclude specific packages from the policy in pnpm-workspace.yaml.
minimumReleaseAgeExclude:
- caniuse-lite
caniuse-lite is updated almost daily and is the Can I Use database, so the risk of supply chain attacks is low. Excluding it in a targeted manner is a practical compromise.
However, this is not a fundamental solution. Today it happened with caniuse-lite, but tomorrow the same thing could happen with another frequently-updated package.
2. Dependabot cooldown Setting
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 3
semver-patch-days: 2
Dependabot waits a certain period after detecting a new version before creating a PR. However, this only delays the timing of PR creation for direct dependencies. It does not solve the problem of transitive dependencies being resolved to the latest version during pnpm install at PR creation time.
3. pnpm-exclude-newer
pnpm-exclude-newer is a tool that starts a local registry mirror and generates a lockfile with versions published after a cutoff date hidden. It provides pnpm with functionality equivalent to uv's --exclude-newer.
pnpm dlx pnpm-exclude-newer
It is the only tool where age restrictions apply to all dependencies including transitive ones, but since Dependabot cannot execute custom install commands, integrating it into Dependabot's workflow is practically impossible.
4. Wait and Re-run
The default for minimumReleaseAge is 24 hours, but if a package is published immediately after Dependabot generates the lockfile, factoring in the time lag until CI runs (waiting for PR creation, queue wait, etc.), there are cases where you may need to wait up to about 48 hours from publication. It will naturally pass once enough time has elapsed.
Upstream Status
Related Issues
| Issue | Content | Status |
|---|---|---|
| #10100 | Fallback failure across major versions | ✅ Fixed in v10.20.0 |
| #11203 | Fallback failure within the same range (the problem in this article) | 🔴 Open · No PR |
| #11068 | Transitive dependency violates minimumReleaseAge | 🔴 Open · No PR |
| #13405 | Convert pnpm's minimumReleaseAge to Dependabot's cooldown | 🔴 Open |
What Was Fixed vs What Remains Unfixed
#10100 (cross-major-version) was fixed in v10.20.0. For example, if lodash@5.0.0 is too new, it falls back to lodash@4.17.21.
However, #11203 (within the same range) remains unfixed. If lodash@4.18.1 is too new, it should fall back to lodash@4.18.0 within the same range, but currently it falls back to the older lodash@4.17.23. It should be addressable as a natural extension of the #10100 fix, but no one has submitted a PR yet.
Is It Worth Submitting a PR
The resolver fix (fallback within the same range) can reference the existing fix from #10100, and the scope of changes would be limited. However, since the --frozen-lockfile validation path is a separate code path, handling that requires separate consideration.
It seems best to comment on the Issue to confirm the maintainers' approach before starting work on a PR.
Summary
- pnpm v11's
minimumReleaseAgeis an important supply chain protection feature, but there is a design gap where fallback for transitive dependencies is not implemented - In combination with Dependabot, CI randomly fails due to transitive dependencies that users cannot control (such as
caniuse-lite) - For now, the workaround of excluding frequently-updated packages with
minimumReleaseAgeExcludeis the most practical - A fundamental fix requires implementing resolver fallback on the pnpm side (#11203)
- If you have encountered a similar issue, you can contribute to raising the upstream priority by adding 👍 or comments to the Issue