minimumReleaseAge is still creating PRs before the configured age threshold leading to potential vulnerabilities

[onigoetz]

How are you running Renovate?

A Mend.io-hosted app

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

My project's configuration includes minimumReleaseAge:
https://github.com/onigoetz/renovate-preset/blob/main/base.json#L15-L20

    {
      "description": "Avoid packages that might have a security issue",
      "matchDatasources": ["npm"],
      "minimumReleaseAge": "3 days"
    }

(some other settings that interact with minimumReleaseAge such as internalChecksFilter or prCreation were at their default value at the moment of the described facts

• 2025-09-26T16:13:15Z contentful version 11.8.0 released
• 2025-09-26T17:27:32Z contentful version 11.8.1 released
• 2025-09-26T21:27:25Z I checked "Update all non-major dependencies (next, node, yarn)" on the Dependency Dashboard onigoetz/onigoetz.github.io#89
• 2025-09-26T21:28:35Z Renovate opened a PR Update all non-major dependencies onigoetz/onigoetz.github.io#333
• 2025-09-26T21:33:41Z I merged the PR
• 2025-09-27T02:22:03Z Renovate opened a PR for contentful 1.8.1: Update all non-major dependencies onigoetz/onigoetz.github.io#334
  • This is 9 hours after the release, so below the 3 days specified in the configuration
  • internalChecksFilter=strict is the default but it still created the PR
  • The PR got two updates since to change the PR description
  • Yarn failed to update the lockfile at PR creation as it uses npmMinimalAgeGate: 4320 which strictly prevents installing packages younger than three days
• 2025-10-01T00:09:10.105Z contentful Released version 11.8.2
  • Renovate did not update to this version yet, so that's a good thing

Why is this a problem?

1. When setting minimumReleaseAge to three days, I really expect no PR nor branch to be created under three days.

• Renovate is a powerful attack amplifier, a package can be compromised and Renovate can create branches or Pull Requests on many repositories very fast. If the package uses the project's CI to propagate itself the effects could be devastating.
• Following the recent NPM breaches I want to very strictly avoid ANY package younger than three days to be added to my project, I expected minimumReleaseAge to do just that

2. It is still possible to go to the Dependency Dashboard and force the creation of a PR for an update.

• This is unexpected as it bypasses the configured value
• As stated above, this can be a security risk, triggered by accident by a developer

3. PRs/Branches created too early by Renovate break when used with Yarn's npmMinimalAgeGate feature

• Renovate updates the dependency in package.json
• Runs yarn install but fails as Yarn finds no installable candidate
• Creates the PR anyway
• The PR fails in CI as the lockfile is outdated

What I expect

I expect that the minimumReleaseAge setting strictly enforces to forbid packages under the specified age to be added to the repository.

I opened a PR that introduces a new allowedMinimumReleaseAge which would strictly apply minimumReleaseAge the same way allowedVersions does: #38267

Additional insights
As you can see in the log below, Renovate finds the update candidate, then proceeds to create the PR as it is within schedule. I think minimulReleaseAge is it possible that it doesn't interact well with groups ?

Small bug report
The "lock file error" in the log has a clear message on what's wrong with Yarn, but the artifact update error message on the PR does not show that message. I can open a separate discussion just for that aspect

Note that I also opened another discussion on the fact that minimumReleaseAge doesn't help with transitive dependencies or lockfileUpdates; #38115 Though this discussion is on a different scope than this one as it relates to the job of package managers themselves

Logs (if relevant)

Logs

Full Log: https://gist.github.com/onigoetz/752b0cb3f4963abf815eaa7a856b09d0

          {
            "currentValue": "11.7.19",
            "currentVersion": "11.7.19",
            "currentVersionAgeInDays": 11,
            "currentVersionTimestamp": "2025-09-16T00:11:49.177Z",
            "datasource": "npm",
            "depName": "contentful",
            "depType": "dependencies",
            "fixedVersion": "11.7.19",
            "homepage": "https://www.contentful.com/developers/documentation/content-delivery-api/",
            "isSingleVersion": true,
            "lockedVersion": "11.7.19",
            "mostRecentTimestamp": "2025-09-26T17:27:32.574Z",
            "packageName": "contentful",
            "prettyDepType": "dependency",
            "registryUrl": "https://registry.npmjs.org",
            "sourceUrl": "https://github.com/contentful/contentful.js",
            "versioning": "npm",
            "warnings": [],
            "updates": [
              {
                "bucket": "non-major",
                "newVersion": "11.8.1",
                "newValue": "11.8.1",
                "releaseTimestamp": "2025-09-26T17:27:32.574Z",
                "newVersionAgeInDays": 0,
                "newMajor": 11,
                "newMinor": 8,
                "newPatch": 1,
                "updateType": "minor",
                "isBreaking": false,
                "pendingChecks": true,
                "libYears": 0.029367814466007103,
                "branchName": "renovate/all-minor-patch"
              }
            ]
          },

...

DEBUG: Update has not passed minimum release age (branch="renovate/all-minor-patch")
{
  "depName": "contentful"
  "timeElapsed": 32058489
  "minimumReleaseAge": "3 days"
}

...

DEBUG: lock file error (branch="renovate/all-minor-patch")
{
  "err": {
    "cmd": "/bin/sh -c yarn install --mode=update-lockfile",
    "stderr": "! Corepack is about to download https://repo.yarnpkg.com/4.10.3/packages/yarnpkg-cli/bin/yarn.js\n",
    "stdout": "➤ YN0000: · Yarn 4.10.3\n➤ YN0000: ┌ Resolution step\n➤ YN0082: │ contentful@npm:11.8.1: No candidates found\n➤ YN0000: └ Completed\n➤ YN0000: · Failed with errors in 0s 209ms\n",
    "options": {
      "cwd": "/tmp/renovate/repos/github/onigoetz/onigoetz.github.io",
      "encoding": "utf-8",
      "env": [
        "NPM_CONFIG_CACHE",
        "npm_config_store",
        "CI",
        "YARN_ENABLE_IMMUTABLE_INSTALLS",
        "YARN_HTTP_TIMEOUT",
        "YARN_GLOBAL_FOLDER",
        "YARN_ENABLE_GLOBAL_CACHE",
        "HOME",
        "PATH",
        "LC_ALL",
        "LANG",
        "CONTAINERBASE_CACHE_DIR"
      ],
      "maxBuffer": 10485760,
      "timeout": 900000
    },
    "exitCode": 1,
    "name": "ExecError",
    "message": "Command failed: yarn install --mode=update-lockfile\n! Corepack is about to download https://repo.yarnpkg.com/4.10.3/packages/yarnpkg-cli/bin/yarn.js\n",
    "stack": "ExecError: Command failed: yarn install --mode=update-lockfile\n! Corepack is about to download https://repo.yarnpkg.com/4.10.3/packages/yarnpkg-cli/bin/yarn.js\n\n    at ChildProcess.<anonymous> (/usr/local/renovate/lib/util/exec/common.ts:120:11)\n    at ChildProcess.emit (node:events:531:35)\n    at ChildProcess.emit (node:domain:489:12)\n    at Process.ChildProcess._handle.onexit (node:internal/child_process:293:12)"
  }
  "type": "yarn"
}

....

INFO: PR created (branch="renovate/all-minor-patch")
{
  "pr": 334
  "prTitle": "Update dependency contentful to v11.8.1"
}

DEBUG: resolveBranchStatus(branchName=renovate/all-minor-patch, ignoreTests=false) (branch="renovate/all-minor-patch")
DEBUG: getBranchStatus(renovate/all-minor-patch) (branch="renovate/all-minor-patch")
DEBUG: http cache: Using cached response: https://api.github.com/repos/onigoetz/onigoetz.github.io/commits/renovate/all-minor-patch/status from 2025-09-27T02:22:02.671Z (branch="renovate/all-minor-patch")
DEBUG: branch status check result (branch="renovate/all-minor-patch")
{
  "state": "failure"
  "statuses": [
    {
      "url": "https://api.github.com/repos/onigoetz/onigoetz.github.io/statuses/fc3c56212758856c61b61be7aaf8446b33e5ff07",
      "avatar_url": "https://avatars.githubusercontent.com/in/2740?v=4",
      "id": 39607277747,
      "node_id": "SC_kwDOAP6xQc8AAAAJOMcYsw",
      "state": "failure",
      "description": "Artifact file update failure",
      "target_url": null,
      "context": "renovate/artifacts",
      "created_at": "2025-09-27T02:22:02Z",
      "updated_at": "2025-09-27T02:22:02Z"
    },
    {
      "url": "https://api.github.com/repos/onigoetz/onigoetz.github.io/statuses/fc3c56212758856c61b61be7aaf8446b33e5ff07",
      "avatar_url": "https://avatars.githubusercontent.com/in/2740?v=4",
      "id": 39607277786,
      "node_id": "SC_kwDOAP6xQc8AAAAJOMcY2g",
      "state": "pending",
      "description": "Updates have not met minimum release age requirement",
      "target_url": "https://docs.renovatebot.com/configuration-options#minimumreleaseage",
      "context": "renovate/stability-days",
      "created_at": "2025-09-27T02:22:02Z",
      "updated_at": "2025-09-27T02:22:02Z"
    }
  ]
}

[RahulGautamSingh]

When setting minimumReleaseAge to three days, I really expect no PR nor branch to be created under three days.

You expect minimumReleaseAge to behave a certain way but please read the docs .. it's clearly mentioned how it behaves.

As per the docs, there's no mention that solely minimumReleaseAge will prevent branch creation. minimumReleaseAge only adds a non-pending status check to the branch if the release age is not met.

Whether branch/PR is created or not can be controlled by users using other available options which gives users the flexibility to customize behavior.

It is still possible to go to the Dependency Dashboard and force the creation of a PR for an update.

A design choice, we won't be discussing that here

PRs/Branches created too early by Renovate break when used with Yarn's npmMinimalAgeGate feature

If no branch previously existed for the update .. then by default you won't get a branch because of internalChecksFilter=strict setting.

If an older branch with same name exists, as in your case. You set prCreation=not-pending & then no PRs will created using that branch till the release age requirement is met.

I think minimulReleaseAge is it possible that it doesn't interact well with groups ?

If you have found a case where it doesn't create a separate discussion.

Now, the actual issue which cannot be handled by Renovate today is the update of an existing branch with updates that haven't met release age, which as you mentioned have potential to propagate attacks via CI pipelines incase those are configured to run when branch is pushed.

We can discuss on how this can be tackled.

[RahulGautamSingh]

Actually, if we add an if-check here which prevents the branch from being updated incase pendingChecks=true then the bug should be fixed.

renovate/lib/workers/repository/update/branch/index.ts

Line 260 in e4ebf7f

if (branchExists) {

[jamietanna]

(still catching up on a few of the threads)

I agree with Rahul, I see this as a bug in behaviour - Renovate should not be updating a branch that has been created because minimumReleaseAge has passed and push an updated version which is < minimumReleaseAge

[onigoetz]

Oh wait that's interesting, you caught on something I didn't notice. Indeed the renovate/all-minor-patch branch already existed at when the PR got created. It is apparently a bug that needs three consecutive runs with specific conditions to happen. I uploaded the full logs here: https://gist.github.com/onigoetz/752b0cb3f4963abf815eaa7a856b09d0

TL;DR of the long explanation below

• 1st run a PR is created for "node, yarn, next"; contentful is excluded
• 2nd run, the renovate/all-minor-patch branch is not deleted as it found an update of contentful but is out of schedule to open a PR, it is thus not an orphan branch to delete
• 3rd run, the renovate/all-minor-patch branch exists, the PR for contentful is created even though it's out of its minimumReleaseAge threshold

1st run: I requested a PR creation for node, yarn, and next

Relevant logs:

DEBUG: 4 flattened updates found: contentful, next, yarn, node

...

DEBUG: prHourlyLimit of the upgrades present in this branch (branch="renovate/all-minor-patch")
{
  "limits": [
    {
      "depName": "next",
      ...
      "depName": "node",
      ...
      "depName": "yarn",
    }
  ]
}
...
DEBUG: PR created (branch="renovate/all-minor-patch")
{
  "pr": 333
}

So what's interesting here is that Renovate was already aware of the contentful update but it did not include it in the PR; There is no line in the log about it but I understand that it's due to minimumReleaseAge so this went well

In then merged the PR in GitHub which triggered a second run

2nd run: PR was merged, no new PR is created

DEBUG: 1 flattened updates found: contentful
...
DEBUG: Checking schedule(schedule=* * * * 0,6, tz=null, now=2025-09-26T21:34:04.034Z) (branch="renovate/all-minor-patch")
DEBUG: Checking 1 schedule(s) (branch="renovate/all-minor-patch")
DEBUG: Human-readable summary for cron:: Every minute, only on Sunday and Saturday (branch="renovate/all-minor-patch")
DEBUG: Package not scheduled (branch="renovate/all-minor-patch")
DEBUG: Skipping PR creation out of schedule (branch="renovate/all-minor-patch")
...
DEBUG: Branch lists
{
  "branchList": [
    "renovate/all-minor-patch"
  ]
  "renovateBranches": [
    "renovate/all-minor-patch",
    "renovate/major-yarn-monorepo",
    "renovate/marked-16.x"
  ]
}

Usually, this run right after a merge deletes orphan branches.
In this case it decided not to as it saw found updates to perform that would land on this branch.
The only reason it didn't perform this update was that the PR was out of schedule ( it ran on friday evening, schedule starts on saturday)

I would have two open questions for that part:

1. Since the renovate/all-minor-patch branch could potentially exist (but is out of schedule) shouldn't it still be considered an orphan and be deleted?
2. Why is the contentful package considered for update as it is out of the minimumReleaseAge ? is it because it's the only package in the group ?

3rd run: it's saturday we're in schedule

DEBUG: 1 flattened updates found: contentful
...
DEBUG: Processing 1 branch: renovate/all-minor-patch
DEBUG: getBranchPr(renovate/all-minor-patch)
DEBUG: findPr(renovate/all-minor-patch, undefined, open)
DEBUG: 0 PRs are currently open
DEBUG: ConcurrentPRs count = 0
DEBUG: 1 already existing branches found.
...
DEBUG: Checking schedule(schedule=* * * * 0,6, tz=null, now=2025-09-27T02:21:51.058Z) (branch="renovate/all-minor-patch")
DEBUG: Checking 1 schedule(s) (branch="renovate/all-minor-patch")
DEBUG: Human-readable summary for cron:: Every minute, only on Sunday and Saturday (branch="renovate/all-minor-patch")
DEBUG: Matches schedule * * * * 0,6 (branch="renovate/all-minor-patch")
DEBUG: Update has not passed minimum release age (branch="renovate/all-minor-patch")
{
  "depName": "contentful"
  "timeElapsed": 32058489
  "minimumReleaseAge": "3 days"
}
...
DEBUG: Setting branch status (branch="renovate/all-minor-patch")
{
  "context": "renovate/stability-days"
  "state": "yellow"
}
...
INFO: PR created (branch="renovate/all-minor-patch")
{
  "pr": 333
  "prTitle": "Update all non-major dependencies"
}

So that gets me to the same conclusion as you; Renovate saw that the branch already existed and decided to create the PR even though it noticed that the "Update has not passed minimum release age" and ignored that information.

Open question: Did renovate ignore internalChecksFilter="strict" because the branch already existed ?

Recap
So there are three behaviors / potential bugs that made this possible:

1. An orphan branch wasn't deleted because a future PR was out of schedule
2. contentful is considered as an update in a group when it was alone (run 2), but not when other packages were present (run 1)
3. Renovate opened the PR because the branch existed even if internalChecksFilter="strict" was set

And a lesson for myself: I should enable GitHub's automatic branch deletion after a merge on my projects :)

[jamietanna]

@onigoetz thanks very much for this! While investigating, would you mind sharing the links to the repo runs on https://developer.mend.io/github/onigoetz/onigoetz.github.io that these logs are from? We can do some additional debugging on the Mend side with access to the full debug logs (as you have - nothing extra we'll be debugging with)

[onigoetz]

@jamietanna my pleasure :)
yes sure, so there is an extract in the Gist: https://gist.github.com/onigoetz/752b0cb3f4963abf815eaa7a856b09d0

And the direct links are:

• run 1: https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/f4048bfe-3527-4367-9c40-a89aac9622e5
• run 2: https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/ec0b06b0-6e3e-44a6-98a8-1d0a4b1c62f3
• run 3: https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/0199888b-3b82-77d1-8c0a-613c42722508

[jamietanna]

I've prepared an example repository testing out this behaviour, using a Custom Datasource for more predictable testing.

You can see copies of the full debug logs for each scenario being tested, and steps on how to run it in there.

So far I've only tested with platform=local. Next I'll test with platform=github next to validate what happens when there is a branch created, and confirming the behaviour follows ☝️

[jamietanna]

Thanks very much @onigoetz for that digging + the detailed info.

To expand on what you've said:

• 2025-09-26T16:13:15Z contentful version 11.8.0 released
• 2025-09-26T17:27:32Z contentful version 11.8.1 released
• 2025-09-26T21:27:25Z I checked "Update all non-major dependencies (next, node, yarn)" on the Dependency Dashboard onigoetz/onigoetz.github.io#89
  • This triggered https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/f4048bfe-3527-4367-9c40-a89aac9622e5
  • This doesn't include contentful at this time, due to:

{
  "currentValue": "11.7.19",
  "currentVersion": "11.7.19",
  "currentVersionAgeInDays": 10,
  "currentVersionTimestamp": "2025-09-16T00:11:49.177Z",
  "datasource": "npm",
  "depName": "contentful",
  "depType": "dependencies",
  "fixedVersion": "11.7.19",
  "homepage": "https://www.contentful.com/developers/documentation/content-delivery-api/",
  "isSingleVersion": true,
  "lockedVersion": "11.7.19",
  "mostRecentTimestamp": "2025-09-26T17:27:32.574Z",
  "packageName": "contentful",
  "prettyDepType": "dependency",
  "registryUrl": "https://registry.npmjs.org",
  "sourceUrl": "https://github.com/contentful/contentful.js",
  "versioning": "npm",
  "warnings": [],
  "updates": [
    {
      "bucket": "non-major",
      "newVersion": "11.8.1",
      "newValue": "11.8.1",
      "releaseTimestamp": "2025-09-26T17:27:32.574Z",
      "newVersionAgeInDays": 0,
      "newMajor": 11,
      "newMinor": 8,
      "newPatch": 1,
      "updateType": "minor",
      "isBreaking": false,
      "pendingChecks": true,
      "libYears": 0.029367814466007103,
      "branchName": "renovate/all-minor-patch"
    }
  ]
},

• 2025-09-26T21:28:35Z Renovate opened a PR Update all non-major dependencies onigoetz/onigoetz.github.io#333
• 2025-09-26T21:33:41Z I merged the PR
• 2025-10-10T21:34:05Z After merge, Renovate triggers: https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/ec0b06b0-6e3e-44a6-98a8-1d0a4b1c62f3
• 2025-09-26T21:34:xxZ Renove updates the Dependency Dashboard to show Contentful is "Awaiting schedule"
  • Doesn't raise contentful change due to:

{
  "depType": "dependencies",
  "depName": "contentful",
  "currentValue": "11.7.19",
  "datasource": "npm",
  "prettyDepType": "dependency",
  "lockedVersion": "11.7.19",
  "updates": [
    {
      "bucket": "non-major",
      "newVersion": "11.8.1",
      "newValue": "11.8.1",
      "releaseTimestamp": "2025-09-26T17:27:32.574Z",
      "newVersionAgeInDays": 0,
      "newMajor": 11,
      "newMinor": 8,
      "newPatch": 1,
      "updateType": "minor",
      "isBreaking": false,
      "pendingChecks": true,
      "libYears": 0.029367814466007103,
      "branchName": "renovate/all-minor-patch"
    }
  ],

• 2025-09-27T02:22:03Z Renovate runs: https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/0199888b-3b82-77d1-8c0a-613c42722508
• 2025-09-27T02:22:03Z Renovate opened a PR for contentful 1.8.1: Update all non-major dependencies onigoetz/onigoetz.github.io#334
  • This is 9 hours after the release, so below the 3 days specified in the configuration
  • internalChecksFilter=strict is the default but it still created the PR
  • The PR got two updates since to change the PR description
  • Yarn failed to update the lockfile at PR creation as it uses npmMinimalAgeGate: 4320 which strictly prevents installing packages younger than three days
  • Still shown as pending:

DEBUG: 1 already existing branches found.

DEBUG: syncBranchState() (branch="renovate/all-minor-patch")
DEBUG: branch.isUpToDate(): needs recalculation (branch="renovate/all-minor-patch")
DEBUG: getBranchPr(renovate/all-minor-patch) (branch="renovate/all-minor-patch")
DEBUG: findPr(renovate/all-minor-patch, undefined, open) (branch="renovate/all-minor-patch")
DEBUG: branchExists=true (branch="renovate/all-minor-patch")

DEBUG: Update has not passed minimum release age (branch="renovate/all-minor-patch")
{
  "depName": "contentful"
  "timeElapsed": 32058489
  "minimumReleaseAge": "3 days"
}

"updates": [
  {
    "bucket": "non-major",
    "newVersion": "11.8.1",
    "newValue": "11.8.1",
    "releaseTimestamp": "2025-09-26T17:27:32.574Z",
    "newVersionAgeInDays": 0,
    "newMajor": 11,
    "newMinor": 8,
    "newPatch": 1,
    "updateType": "minor",
    "isBreaking": false,
    "pendingChecks": true,
    "libYears": 0.029367814466007103,
    "branchName": "renovate/all-minor-patch"
  }

• 2025-10-01T00:09:10.105Z contentful Released version 11.8.2
  • Renovate did not update to this version yet, so that's a good thing

Aside: the node update wasn't within the 3 day minimumReleaseAge for onigoetz/onigoetz.github.io#333

• run 1: https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/f4048bfe-3527-4367-9c40-a89aac9622e5 (Requested ac9622e5)
• run 2: https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/ec0b06b0-6e3e-44a6-98a8-1d0a4b1c62f3 (Requested 4b1c62f3)
• run 3: https://developer.mend.io/github/onigoetz/onigoetz.github.io/-/job/0199888b-3b82-77d1-8c0a-613c42722508

[jamietanna]

My next steps are, given:

So there are three behaviors / potential bugs that made this possible:

• An orphan branch wasn't deleted because a future PR was out of schedule
• contentful is considered as an update in a group when it was alone (run 2), but not when other packages were present (run 1)
• Renovate opened the PR because the branch existed even if internalChecksFilter="strict" was set

1. Produce a (unit/integration) test that exposes this behaviour
2. Validate what (if any) impact fix: pending upgrades filtering  #38352 has on this
3. Work out what other fixes need to be put in place

[jamietanna]

renovate/lib/workers/repository/update/branch/index.ts

Lines 429 to 444 in 616dc31

	// Don't create a branch if we know it will be status 'pending'
	if (
	!dependencyDashboardCheck &&
	!branchExists &&
	config.stabilityStatus === 'yellow' &&
	['not-pending', 'status-success'].includes(config.prCreation!)
	) {
	logger.debug(
	'Skipping branch creation due to internal status checks not met',
	);
	return {
	branchExists,
	result: 'pending',
	};
	}
	}

should have triggered this conditional, but given:

DEBUG: branchExists=true (branch="renovate/all-minor-patch")
DEBUG: dependencyDashboardCheck=undefined (branch="renovate/all-minor-patch")

That'd evaluate as:

      if (
        !false &&
        !true &&
        'yellow' === 'yellow' &&
        ['not-pending', 'status-success'].includes(config.prCreation!) // I don't see this overridden, so should be the default of https://docs.renovatebot.com/configuration-options/#prcreation which would be `immediate`
      ) {

(aka this conditional would not be triggered)

[jamietanna]

In the meantime of a "long term fix", I've raised #38566 to make sure that we inform repo owners that they could be susceptible to a bug / race condition here

[jamietanna]

This should be fixed by #38720 - I'll be reviewing it today