Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
When min-release-age is configured alongside min-release-age-exclude in a .npmrc, packages whose name matches an exclude glob should be exempt from the release-age cutoff.
However, npm pack still enforces the cutoff for packages that match the exclude pattern, rejecting them with ETARGET
Expected Behavior
npm pack should exclude packages from the min-release-age if the package follows the min-release-age-exclude in the .npmrc
Steps To Reproduce
- In this environment:
- npm: 12.0.1
- Node: v26.3.1
- OS: Linux
- Registry: private (self-hosted, non-npmjs)
-
With this config in ~/.npmrc:
min-release-age=7
min-release-age-exclude=@myscope/*
-
Run:
npm pack @myscope/some-package@1.2.3 --registry https://my-private-registry.example.com --pack-destination=.
-
See error:
npm error code ETARGET
npm error notarget No matching version found for @myscope/some-package@1.2.3 with a date before .
npm error notarget In most cases you or one of your dependencies are requesting a package version that doesn't exist.
-
Workaround:
Explicitly passing --min-release-age=0 on the CLI does bypass the restriction:
npm pack @myscope/some-package@1.2.3 --registry https://my-private-registry.example.com --pack-destination=. --min-release-age=0
Environment
- npm: 12.0.1
- Node: v26.3.1
- OS: Linux
- Registry: private (self-hosted, non-npmjs)
- npm config:
; "user" config from /home/me/.npmrc
@Myscope:registry = "https://my-private-registry.example.com/api/v4/packages/npm/"
//my-private-registry.example.com/api/v4/packages/npm/:_authToken = (protected)
allow-remote = "all"
min-release-age = 7
min-release-age-exclude = ["@myscope/*"]
; node bin location = /usr/bin/node
; node version = v26.3.1
; npm version = 12.0.1
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
When
min-release-ageis configured alongsidemin-release-age-excludein a.npmrc, packages whose name matches an exclude glob should be exempt from the release-age cutoff.However,
npm packstill enforces the cutoff for packages that match the exclude pattern, rejecting them withETARGETExpected Behavior
npm packshould exclude packages from themin-release-ageif the package follows themin-release-age-excludein the.npmrcSteps To Reproduce
With this config in
~/.npmrc:min-release-age=7
min-release-age-exclude=@myscope/*
Run:
npm pack @myscope/some-package@1.2.3 --registry https://my-private-registry.example.com --pack-destination=.
See error:
npm error code ETARGET
npm error notarget No matching version found for @myscope/some-package@1.2.3 with a date before .
npm error notarget In most cases you or one of your dependencies are requesting a package version that doesn't exist.
Workaround:
Explicitly passing
--min-release-age=0on the CLI does bypass the restriction:npm pack @myscope/some-package@1.2.3 --registry https://my-private-registry.example.com --pack-destination=. --min-release-age=0Environment
; "user" config from /home/me/.npmrc
@Myscope:registry = "https://my-private-registry.example.com/api/v4/packages/npm/"
//my-private-registry.example.com/api/v4/packages/npm/:_authToken = (protected)
allow-remote = "all"
min-release-age = 7
min-release-age-exclude = ["@myscope/*"]
; node bin location = /usr/bin/node
; node version = v26.3.1
; npm version = 12.0.1