Is there an existing issue for this?
Package ecosystem
npm
Package manager version
npm ^11.10.0
Language version
Node ^24.14.1
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
In .npmrc we have set min-release-age=14, which means we only install package versions that have been released at least 2 weeks ago.
I expect dependabot to ignore this settings for security updates (like it ignores cooldown for security updates) and make the update PR, instead I find this error in the Dependabot logs:
2026/05/20 11:22:07 ERROR <job_1376421738> Error running package manager command: corepack npm install ws@8.20.1 --package-lock-only --dry-run=true --ignore-scripts, Error: npm error code ETARGET
npm error notarget No matching version found for ws@8.20.1 with a date before 5/6/2026, 11:22:06 AM.
Native package manager behavior
If I currently run npm update ws --force --ignore-scripts --package-lock-only it will update to ws@8.20.0 because that version is older than 2 weeks.
But if I run npm update ws --force --ignore-scripts --package-lock-only --min-release-age=0 (note the added --min-release-age=0) it will update to the actual latest version: ws@8.20.1
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
When it comes to security update PRs I think dependabot should ignore min-release-age (but please don't ignore it for regular update PRs). So instead of running:
npm update PACKAGE_NAME --force --ignore-scripts --package-lock-only
You can run this:
npm update PACKAGE_NAME --force --ignore-scripts --package-lock-only --min-release-age=0
This will tell npm to ignore the user's min-release-age and install the latest version.
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
npm ^11.10.0
Language version
Node ^24.14.1
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
In
.npmrcwe have setmin-release-age=14, which means we only install package versions that have been released at least 2 weeks ago.I expect dependabot to ignore this settings for security updates (like it ignores
cooldownfor security updates) and make the update PR, instead I find this error in the Dependabot logs:Native package manager behavior
If I currently run
npm update ws --force --ignore-scripts --package-lock-onlyit will update tows@8.20.0because that version is older than 2 weeks.But if I run
npm update ws --force --ignore-scripts --package-lock-only --min-release-age=0(note the added--min-release-age=0) it will update to the actual latest version:ws@8.20.1Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
When it comes to security update PRs I think dependabot should ignore
min-release-age(but please don't ignore it for regular update PRs). So instead of running:You can run this:
This will tell npm to ignore the user's
min-release-ageand install the latest version.