fix: don't install package from store that doesn't satisfy min release age (#9980)

close #9978
2026-02-15 17:42:31 -05:00 · 2025-09-17 00:11:43 +02:00
parent 952cec3113
commit 121b44e246
3 changed files with 55 additions and 3 deletions
--- a/.changeset/eleven-teams-juggle.md
+++ b/.changeset/eleven-teams-juggle.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/npm-resolver": patch
+"pnpm": patch
+---
+
+Don't ignore the `minimumReleaseAge` check, when the package is requested by exact version and the packument is loaded from cache [#9978](https://github.com/pnpm/pnpm/issues/9978).
--- a/resolving/npm-resolver/src/pickPackage.ts
+++ b/resolving/npm-resolver/src/pickPackage.ts
@@ -191,9 +191,18 @@ export async function pickPackage (
      // use the cached meta only if it has the required package version
      // otherwise it is probably out of date
      if ((metaCachedInStore?.versions?.[spec.fetchSpec]) != null) {
-        return {
-          meta: metaCachedInStore,
-          pickedPackage: metaCachedInStore.versions[spec.fetchSpec],
+        try {
+          const pickedPackage = _pickPackageFromMeta(spec, opts.preferredVersionSelectors, metaCachedInStore, opts.publishedBy)
+          if (pickedPackage) {
+            return {
+              meta: metaCachedInStore,
+              pickedPackage,
+            }
+          }
+        } catch (err) {
+          if (ctx.strictPublishedByCheck) {
+            throw err
+          }
        }
      }
    }
--- a/resolving/npm-resolver/test/publishedBy.test.ts
+++ b/resolving/npm-resolver/test/publishedBy.test.ts
@@ -80,3 +80,40 @@ test('request metadata when the one in cache does not have a version satisfying
  expect(resolveResult!.resolvedVia).toBe('npm-registry')
  expect(resolveResult!.id).toBe('bad-dates@1.0.0')
 })
+
+test('do not pick version that does not satisfy the date requirement even if it is loaded from cache and requested by exact version', async () => {
+  const cacheDir = tempy.directory()
+  const fooMeta = {
+    'dist-tags': {},
+    versions: {
+      '1.0.0': {
+        dist: {
+          integrity: 'sha512-9Qa5b+9n69IEuxk4FiNcavXqkixb9lD03BLtdTeu2bbORnLZQrw+pR/exiSg7SoODeu08yxS47mdZa9ddodNwQ==',
+          shasum: '857db584a1ba5d1cb2980527fc3b6c435d37b0fd',
+          tarball: 'https://registry.npmjs.org/is-positive/-/foo-1.0.0.tgz',
+        },
+      },
+    },
+    time: {
+      '1.0.0': '2016-08-17T19:26:00.508Z',
+    },
+    cachedAt: '2016-08-17T19:26:00.508Z',
+  }
+  fs.mkdirSync(path.join(cacheDir, `${FULL_FILTERED_META_DIR}/registry.npmjs.org`), { recursive: true })
+  fs.writeFileSync(path.join(cacheDir, `${FULL_FILTERED_META_DIR}/registry.npmjs.org/foo.json`), JSON.stringify(fooMeta), 'utf8')
+
+  nock(registries.default)
+    .get('/foo')
+    .reply(200, fooMeta)
+
+  const { resolveFromNpm } = createResolveFromNpm({
+    cacheDir,
+    filterMetadata: true,
+    fullMetadata: true,
+    registries,
+    strictPublishedByCheck: true,
+  })
+  await expect(resolveFromNpm({ alias: 'foo', bareSpecifier: '1.0.0' }, {
+    publishedBy: new Date('2015-08-17T19:26:00.508Z'),
+  })).rejects.toThrow('No matching version found')
+})