Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Using the min-release-age flag will crash npm if it has any dependencies with git: or github: protocols (even nested dependencies). This is because it needs to spawn fetcher sub-processes and there is a logic issue with how the min-release-age flag is parsed and forwarded. This is related to the (closed) issue at #9005 but still exists with the latest npm.
The root cause here is that @npmcli's definitions parser replaces a min-release-age configuration value with a calculated before value, which pacote's FetcherBase then in turn adds to the CLI arguments when spawning a new fetcher process. However, this will then immediately cause a configuration conflict between the pacote-added command line --before and the user .npmrc min-release-age, as if the user supplied both.
The only robust solution here that I can see is:
- Remove the definitions.js special flatten function for
min-release-age so it is flattened like any other parameter.
- Add
--min-release-age=X via pacote's FetcherBase to any child processes, if it is passed in the cli options. This will then match the value in .npmrc anyway and will not trigger any conflict in spawned sub-processes.
- Pass
min-release-age through the stack all the way to npm-pick-manifest (this will touch pacote's RegistryFetcher too)
- Parse both
before and min-release-age in npm-pick-manifest, resolve to a single value (picking the earliest of the 2 if both options somehow make their way that far), and then use that value to identify the correct version to fetch.
In my case, given the only thing I have in my .npmrc file is the min-release-age configuration and that I never use --before on the command line, a much simpler fix was to just comment out line 110 of pacote's FetcherBase (the line that forwards --before to a client process) which provides the desired behaviour without the undesired crash, but this is clearly not a sustainable solution.
Expected Behavior
npm should be able to handle the min-release-age flag correctly and robustly with any dependency requirements
Steps To Reproduce
- Add
min-release-age=7 to your /home/user/.npmrc file
- In a blank folder, run
npm init with the default values, then run npm require github:codemirror/state
- See the error
git dep preparation failed
Environment
- npm: 11.13.0
- Node.js: 24.15.0
- OS Name: Linux Mint
- System Model Name: n/a
- npm config:
; "user" config from /home/puzzledmonkey/.npmrc
before = "2026-04-23T03:11:01.870Z"
; node bin location = /home/puzzledmonkey/.nvm/versions/node/v24.15.0/bin/node
; node version = v24.15.0
; npm local prefix = /home/puzzledmonkey
; npm version = 11.13.0
; cwd = /home/puzzledmonkey
; HOME = /home/puzzledmonkey
; Run `npm config ls -l` to show all defaults.
PLEASE NOTE: This does not reflect the actual contents of my .npmrc file, which is:
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Using the
min-release-ageflag will crash npm if it has any dependencies withgit:orgithub:protocols (even nested dependencies). This is because it needs to spawn fetcher sub-processes and there is a logic issue with how themin-release-ageflag is parsed and forwarded. This is related to the (closed) issue at #9005 but still exists with the latest npm.The root cause here is that @npmcli's definitions parser replaces a
min-release-ageconfiguration value with a calculatedbeforevalue, which pacote's FetcherBase then in turn adds to the CLI arguments when spawning a new fetcher process. However, this will then immediately cause a configuration conflict between the pacote-added command line--beforeand the user .npmrcmin-release-age, as if the user supplied both.The only robust solution here that I can see is:
min-release-ageso it is flattened like any other parameter.--min-release-age=Xvia pacote's FetcherBase to any child processes, if it is passed in the cli options. This will then match the value in .npmrc anyway and will not trigger any conflict in spawned sub-processes.min-release-agethrough the stack all the way to npm-pick-manifest (this will touch pacote's RegistryFetcher too)beforeandmin-release-agein npm-pick-manifest, resolve to a single value (picking the earliest of the 2 if both options somehow make their way that far), and then use that value to identify the correct version to fetch.In my case, given the only thing I have in my .npmrc file is the
min-release-ageconfiguration and that I never use--beforeon the command line, a much simpler fix was to just comment out line 110 of pacote's FetcherBase (the line that forwards--beforeto a client process) which provides the desired behaviour without the undesired crash, but this is clearly not a sustainable solution.Expected Behavior
npm should be able to handle the min-release-age flag correctly and robustly with any dependency requirements
Steps To Reproduce
min-release-age=7to your /home/user/.npmrc filenpm initwith the default values, then runnpm require github:codemirror/stategit dep preparation failedEnvironment
PLEASE NOTE: This does not reflect the actual contents of my .npmrc file, which is:
min-release-age=7