Skip to content

fix(pnpm): retry lockfile gen when maturity blocks base-lockfile pins#44260

Draft
gperepechko-dev wants to merge 4 commits into
renovatebot:mainfrom
gperepechko-dev:feat/pnpm-lockfile-maturity-retry
Draft

fix(pnpm): retry lockfile gen when maturity blocks base-lockfile pins#44260
gperepechko-dev wants to merge 4 commits into
renovatebot:mainfrom
gperepechko-dev:feat/pnpm-lockfile-maturity-retry

Conversation

@gperepechko-dev

@gperepechko-dev gperepechko-dev commented Jun 26, 2026

Copy link
Copy Markdown

Changes

When pnpm minimumReleaseAge rejects a package@version that is already present in the pre-update lockfile, Renovate's cold pnpm install --lockfile-only fails with ERR_PNPM_NO_MATURE_MATCHING_VERSION. That can leave manifest-only PRs and red frozen CI, even though a warm local incremental install may succeed.

This PR mirrors npm's retry-without---before fallback for already-locked young packages:

  • Parse pnpm 10 single-package and pnpm 11 list-style maturity errors.
  • Retry with temporary CLI minimumReleaseAgeExclude entries only when the blocked version is already in the pre-update lockfile, or when it is the target of a vulnerability remediation.
  • Preserve existing pnpm-workspace.yaml minimumReleaseAgeExclude entries while adding temporary retry excludes.
  • Keep brand-new non-security selections blocked by minimumReleaseAge.
  • Surface a maturityFallback artifact notice when the fallback was used.

Related discussion: #39999
Related issues: #40475, #42145, #39168

Context

Please select one of the following:

  • This closes an existing Issue, Closes: #
  • This doesn't close an Issue, but I accept the risk that this PR may be closed if maintainers disagree with its opening or implementation

AI assistance disclosure

Did you use AI tools to create any part of this pull request?

Please select one option and, if yes, briefly describe how AI was used (e.g., code, tests, docs) and which tool(s) you used.

  • No — I did not use AI for this contribution.
  • Yes — minimal assistance (e.g., IDE autocomplete, small code completions, grammar fixes).
  • Yes — substantive assistance (AI-generated non‑trivial portions of code, tests, or documentation). Used agent to help implement and review code/tests.
  • Yes — other (please describe):

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests, but ran on a real repository, or
  • Both unit tests + ran on a real repository

The public repository:

Additional verification:

  • pnpm exec vitest run lib/modules/manager/npm/post-update/pnpm-maturity.spec.ts lib/modules/manager/npm/post-update/pnpm.spec.ts — 68 passed
  • pnpm exec tsc --noEmit --pretty false --incremental false
  • pnpm exec oxlint lib/modules/manager/npm/post-update/pnpm-maturity.ts lib/modules/manager/npm/post-update/pnpm.ts lib/modules/manager/npm/post-update/pnpm-maturity.spec.ts lib/modules/manager/npm/post-update/pnpm.spec.ts

When pnpm minimumReleaseAge rejects a package@version already in the pre-update lockfile (or a vulnerability remediation target), retry with CLI minimumReleaseAgeExclude. Preserves maturity for new selections. Relates to renovatebot#39999.
@github-actions github-actions Bot requested a review from viceice June 26, 2026 16:23
@cla-assistant

cla-assistant Bot commented Jun 26, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@jamietanna jamietanna removed the request for review from viceice June 26, 2026 16:30
@jamietanna jamietanna added the auto:pr-template "Please use PR template" label Jun 26, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Hi there,
We notice that the Pull Request you've created doesn't quite follow our template.
Please update the PR description to follow our template.
This improves the maintainers' time to triage, as key information is clearly indicated in the format we expect.
Thanks, the Renovate team

@jamietanna jamietanna marked this pull request as draft June 26, 2026 16:35
@gperepechko-dev

gperepechko-dev commented Jun 26, 2026

Copy link
Copy Markdown
Author

First draft (mostly by agent), will align with template and test thoroughly on my end.
Added here mostly as a placeholder / PoC I can iterate on if the approach makes sense.

upd: ok, fixed some issues 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto:pr-template "Please use PR template"

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants