fix: move minimum-release-age to pnpm-workspace.yaml, fix Socket package downgrades

jdalton · jdalton · commit 7b9c74a38304 · 2026-04-03T23:17:20.000-04:00
- Move pnpm's minimum-release-age from .npmrc to pnpm-workspace.yaml
  to avoid npm v11+ warning about unknown config key
- Keep min-release-age=7 in .npmrc for npm
- Fix update script: bypass age gate for @socketsecurity/* and
  @socketregistry/* via env override (prevents downgrades)
diff --git a/.npmrc b/.npmrc
@@ -2,9 +2,8 @@ ignore-scripts=true
 link-workspace-packages=false
 loglevel=error
 prefer-workspace-packages=false
-# Minimum release age - wait 7 days before installing newly published packages
-# pnpm uses minimum-release-age (minutes), npm v11+ uses min-release-age (days)
-minimum-release-age=10080
+# Minimum release age for npm v11+ (days).
+# pnpm equivalent is in pnpm-workspace.yaml (minimumReleaseAge).
 min-release-age=7
 
 trust-policy=no-downgrade
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -0,0 +1,3 @@
+settings:
+  # Wait 7 days (10080 minutes) before installing newly published packages.
+  minimumReleaseAge: 10080
diff --git a/scripts/update.mjs b/scripts/update.mjs
@@ -44,7 +44,8 @@ async function main() {
       process.stdout.write('\r\x1b[K')
     }
 
-    // Always update Socket packages (bypass taze maturity period).
+    // Update Socket packages — bypass minimum-release-age since these are
+    // our own packages and we trust them immediately.
     if (!quiet) {
       logger.progress('Updating Socket packages...')
     }
@@ -60,12 +61,12 @@ async function main() {
         '-r',
       ],
       {
+        env: { ...process.env, npm_config_minimum_release_age: '0' },
         shell: WIN32,
         stdio: quiet ? 'pipe' : 'inherit',
       },
     )
 
-    // Clear progress line.
     if (!quiet) {
       process.stdout.write('\r\x1b[K')
     }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+settings:`
	`2`	`+ # Wait 7 days (10080 minutes) before installing newly published packages.`
	`3`	`+ minimumReleaseAge: 10080`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ async function main() {`
`44`	`44`	`process.stdout.write('\r\x1b[K')`
`45`	`45`	`}`
`46`	`46`
`47`		`- // Always update Socket packages (bypass taze maturity period).`
	`47`	`+ // Update Socket packages — bypass minimum-release-age since these are`
	`48`	`+ // our own packages and we trust them immediately.`
`48`	`49`	`if (!quiet) {`
`49`	`50`	`logger.progress('Updating Socket packages...')`
`50`	`51`	`}`
`@@ -60,12 +61,12 @@ async function main() {`
`60`	`61`	`'-r',`
`61`	`62`	`],`
`62`	`63`	`{`
	`64`	`+ env: { ...process.env, npm_config_minimum_release_age: '0' },`
`63`	`65`	`shell: WIN32,`
`64`	`66`	`stdio: quiet ? 'pipe' : 'inherit',`
`65`	`67`	`},`
`66`	`68`	`)`
`67`	`69`
`68`		`- // Clear progress line.`
`69`	`70`	`if (!quiet) {`
`70`	`71`	`process.stdout.write('\r\x1b[K')`
`71`	`72`	`}`