Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
When min-release-age is configured alongside min-release-age-exclude in a .npmrc, packages whose name matches an exclude glob should be exempt from the release-age cutoff.
However, npx still enforces the cutoff for packages that match the exclude pattern, rejecting them with ETARGET
Expected Behavior
npx should exclude packages from the min-release-age if the package follows the min-release-age-exclude in the .npmrc
Steps To Reproduce
- In this environment:
- npm: 12.0.1
- Node: v26.5.0
- OS: Linux
-
With this config in ~/.npmrc:
min-release-age=3
min-release-age-exclude=@myscope/*
-
Run:
npx @myscope/some-package@1.2.3
-
See error:
npm error code ETARGET
npm error notarget No matching version found for @myscope/some-package@1.2.3 with a date before .
npm error notarget In most cases you or one of your dependencies are requesting a package version that doesn't exist.
-
Workaround:
Explicitly passing --min-release-age=0 on the CLI does bypass the restriction:
npx --min-release-age=0 @myscope/some-package@1.2.3
Environment
- npm: 12.0.1
- Node.js: v26.5.0
- OS Name: Linux
- npm config:
ignore-scripts = true
min-release-age = 3
min-release-age-exclude = ["@myscope/*"]
; node version = v26.5.0
; npm version = 12.0.1
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
When
min-release-ageis configured alongsidemin-release-age-excludein a.npmrc, packages whose name matches an exclude glob should be exempt from the release-age cutoff.However,
npxstill enforces the cutoff for packages that match the exclude pattern, rejecting them withETARGETExpected Behavior
npxshould exclude packages from themin-release-ageif the package follows themin-release-age-excludein the.npmrcSteps To Reproduce
With this config in
~/.npmrc:min-release-age=3
min-release-age-exclude=@myscope/*
Run:
npx @myscope/some-package@1.2.3
See error:
npm error code ETARGET
npm error notarget No matching version found for @myscope/some-package@1.2.3 with a date before .
npm error notarget In most cases you or one of your dependencies are requesting a package version that doesn't exist.
Workaround:
Explicitly passing
--min-release-age=0on the CLI does bypass the restriction:npx --min-release-age=0 @myscope/some-package@1.2.3Environment