Automatically add to minimumReleaseAgeExclude on security updates (pnpm)

[michaelhazan]

Tell us more.

Currently i have in my pnpm-workspace a minimumReleaseAge of 1 day, which causes renovate to error whenever it attempts to open a security update pr.

While i am aware that if i will use renovate's internal minimumReleaseAge and not the pnpm-workspace one it will be able to handle this scenario without pnpm erroring about it. but the main motivation behind putting it in the pnpm-workspace is to also stop developers from installing / updating packages which are not a day old.

So my suggestion is to give renovate the ability to automatically add the package to the minimumReleaseAgeExclude (in the case of pnpm) whenever it is a security update (maybe it can be a config option that you have to enable first?) that way it can install it properly without pnpm erroring.

On top of that make renovate remove the package after the minimumReleaseAge has passed, in some sort of "cleanup" pr.

[LunDev]

Hey, I agree that's desirable and there is #39168 which discusses it.

On top of that make renovate remove the package after the minimumReleaseAge has passed, in some sort of "cleanup" pr.

As far as I can tell this hasn't been discussed before (would love that, too 0.0).

[jamietanna]

Yeah so we have #39168 to add it - and it's currently in the Merge Queue so should be live shortly 🚀

In terms of removing it when the MRA has passed, that sounds interesting - I've captured #40595 for it 👍