[Bug]: npmMinimalAgeGate feature install pre-release versions of packages #6914
Description
Self-service
- I'd be willing to implement a fix
Describe the bug
The npmMinimalAgeGate feature was introduced in this PR, to block the installation of package versions that were only recently published to NPM:
When installing or updating dependencies, ideally this should choose the newest compatible version that is older than the age gate, but excluding pre-release versions of the package (as is the usual behavior when using fuzzy version matching).
Instead, the newest version is installed, even if that is a pre-release version.
To reproduce
package.json
{
"name": "test-yarn-npmMinimalAgeGate",
"packageManager": "[email protected]"
}.yarnrc.yml
npmMinimalAgeGate: 72000 # 50 days in minutes - adjust so cutoff date is 2025-07-31Then install a package with plenty of pre-release versions:
yarn add @typespec/compilerObserve that package.json is now updated to:
{
"name": "test-yarn-npmMinimalAgeGate",
"packageManager": "[email protected]",
"dependencies": {
"@typespec/compiler": "^1.3.0-dev.10"
}
}In this case, because version 1.3.0 would be too new (published 2025-08-07), yarn should have chosen version 1.2.1 instead (published 2025-07-15), but instead chose a pre-release version (published 2025-07-30).
Environment
System:
OS: macOS 14.7.8
CPU: (10) arm64 Apple M1 Pro
Binaries:
Node: 23.7.0 - /private/var/folders/g8/q_gt51tn1q35j19j5t87wm7r0000gp/T/xfs-13b8b091/node
Yarn: 4.10.2 - /private/var/folders/g8/q_gt51tn1q35j19j5t87wm7r0000gp/T/xfs-13b8b091/yarn
npm: 10.9.2 - /opt/homebrew/bin/npmAdditional context
No response