Skip to content

[BUG] "min-release-age-exclude" not working with "omit-lockfile-registry-resolved" #9715

Description

@cpoulsen

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

This is not just a request to bump a dependency for a CVE

  • This is not solely a request to bump a dependency for a CVE

Current Behavior

I'm working on a project that requires omit-lockfile-registry-resolved=true

When paired with

min-release-age=3
min-release-age-exclude[]=@my-org/*

npm ci and partially npm i is not respecting the min-release-age-exclude config

Initially i run npm i which works properly and respects the min-release-age-exclude meaning that it will allow installations of @my-org/* packages that are 1 day old.

Subsequential runs of npm i also works just fine.

However when i run npm ci it starts to complain that the package @my-org/* doesnt fall within min-release-age.

Subsequential runs of npm i now stops working too

I've verified that if i remove omit-lockfile-registry-resolved=true everything works as expected

Expected Behavior

I'd expect npm i and npm ci to behave similar to when not having omit-lockfile-registry-resolved=true, meaning that both commands should respect min-release-age-exclude

Steps To Reproduce

  1. In this environment...
    node: v24.16.0
    npm: 11.18.0

  2. With this config...
    A package.json containing a package from @my-org/* with a version publish within the last 2 days

omit-lockfile-registry-resolved=true
min-release-age=3
min-release-age-exclude[]=@my-org/*
  1. Run '...'
    npm i and then npm ci

  2. See error...

npm error code ETARGET
npm error notarget No matching version found for @my-org/.... with a date before ......

Environment

@my-org/* packages are publish to a private registry and configured through my global .npmrc

  • npm: 11.18.0
  • Node.js: 24.16.0
  • OS Name: MacOS 26.5.1
  • npm config:
npm config get
; "user" config from /Users/dev/.npmrc

//my-registry:_authToken = (protected)
registry = "https://my-registry"

; "project" config from /Users/dev/project/.npmrc

engine-strict = true
min-release-age = 3
min-release-age-exclude = ["@my-org/*"]
omit-lockfile-registry-resolved = true
prefer-dedupe = true
strict-allow-scripts = true

; node version = v24.16.0
; npm local prefix = /Users/dev/project
; npm version = 11.18.0
; cwd = /Users/dev/project
; HOME = /Users/dev
; Run `npm config ls -l` to show all defaults.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions