Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
I'm working on a project that requires omit-lockfile-registry-resolved=true
When paired with
min-release-age=3
min-release-age-exclude[]=@my-org/*
npm ci and partially npm i is not respecting the min-release-age-exclude config
Initially i run npm i which works properly and respects the min-release-age-exclude meaning that it will allow installations of @my-org/* packages that are 1 day old.
Subsequential runs of npm i also works just fine.
However when i run npm ci it starts to complain that the package @my-org/* doesnt fall within min-release-age.
Subsequential runs of npm i now stops working too
I've verified that if i remove omit-lockfile-registry-resolved=true everything works as expected
Expected Behavior
I'd expect npm i and npm ci to behave similar to when not having omit-lockfile-registry-resolved=true, meaning that both commands should respect min-release-age-exclude
Steps To Reproduce
-
In this environment...
node: v24.16.0
npm: 11.18.0
-
With this config...
A package.json containing a package from @my-org/* with a version publish within the last 2 days
omit-lockfile-registry-resolved=true
min-release-age=3
min-release-age-exclude[]=@my-org/*
-
Run '...'
npm i and then npm ci
-
See error...
npm error code ETARGET
npm error notarget No matching version found for @my-org/.... with a date before ......
Environment
@my-org/* packages are publish to a private registry and configured through my global .npmrc
- npm: 11.18.0
- Node.js: 24.16.0
- OS Name: MacOS 26.5.1
- npm config:
npm config get
; "user" config from /Users/dev/.npmrc
//my-registry:_authToken = (protected)
registry = "https://my-registry"
; "project" config from /Users/dev/project/.npmrc
engine-strict = true
min-release-age = 3
min-release-age-exclude = ["@my-org/*"]
omit-lockfile-registry-resolved = true
prefer-dedupe = true
strict-allow-scripts = true
; node version = v24.16.0
; npm local prefix = /Users/dev/project
; npm version = 11.18.0
; cwd = /Users/dev/project
; HOME = /Users/dev
; Run `npm config ls -l` to show all defaults.
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
I'm working on a project that requires
omit-lockfile-registry-resolved=trueWhen paired with
npm ciand partiallynpm iis not respecting themin-release-age-excludeconfigInitially i run
npm iwhich works properly and respects themin-release-age-excludemeaning that it will allow installations of@my-org/*packages that are 1 day old.Subsequential runs of
npm ialso works just fine.However when i run
npm ciit starts to complain that the package@my-org/*doesnt fall withinmin-release-age.Subsequential runs of
npm inow stops working tooI've verified that if i remove
omit-lockfile-registry-resolved=trueeverything works as expectedExpected Behavior
I'd expect
npm iandnpm cito behave similar to when not havingomit-lockfile-registry-resolved=true, meaning that both commands should respectmin-release-age-excludeSteps To Reproduce
In this environment...
node: v24.16.0
npm: 11.18.0
With this config...
A
package.jsoncontaining a package from@my-org/*with a version publish within the last 2 daysRun '...'
npm iand thennpm ciSee error...
Environment
@my-org/*packages are publish to a private registry and configured through my global .npmrc