feat(update): add minimumReleaseAge and default to 1 day

Refs #302

Author: JamieMason

README.md

@@ -84,7 +84,7 @@ syncpack fix -h
 
 ### [update](https://syncpack.dev/command/update)
 
-Update packages to the latest versions from the npm registry, wherever they are in your monorepo.<br/>Semver range preferences are preserved when updating.
+Update packages to the latest versions from the npm registry, wherever they are in your monorepo, including pnpm catalog entries in `pnpm-workspace.yaml`.<br/>Semver range preferences are preserved when updating.
 
 #### Examples
 
@@ -99,6 +99,10 @@ syncpack update --target patch
 syncpack update --check --source 'packages/pingu/package.json'
 # Update dependencies and devDependencies in the whole monorepo
 syncpack update --dependency-types dev,prod
+# Update only pnpm catalog entries in pnpm-workspace.yaml
+syncpack update --dependency-types pnpmCatalog
+# Update only the named pnpm catalog 'react18'
+syncpack update --dependency-types 'pnpmCatalog:react18'
 # Only update dependencies with a semver range specifier (^, ~, etc.)
 syncpack update --specifier-types range
 # Update dependencies where name exactly matches 'react'

npm/syncpack.ts

@@ -15,6 +15,14 @@ export interface RcFile {
   indent?: string;
   /** @see https://syncpack.dev/config/max-concurrent-requests */
   maxConcurrentRequests?: number;
+  /**
+   * Skip dependency updates published less than this many minutes ago.
+   * `0` disables the filter. When omitted, the value from the project's
+   * `pnpm-workspace.yaml` is used; if neither is set, defaults to `1440`
+   * (one day). Setting it here always overrides the pnpm value.
+   * @see https://pnpm.io/settings#minimumreleaseage
+   */
+  minimumReleaseAge?: number;
   /** @see https://syncpack.dev/semver-groups */
   semverGroups?: SemverGroup.Any[];
   /** @see https://syncpack.dev/config/sort-az */

site/astro.config.mjs

@@ -110,6 +110,7 @@ export default defineConfig({
             'config/format-repository',
             'config/indent',
             'config/max-concurrent-requests',
+            'config/minimum-release-age',
             { label: 'semverGroups', link: '/semver-groups/' },
             'config/sort-az',
             'config/sort-exports',

site/remark-plugins/link-aliases.mjs

@@ -14,6 +14,7 @@ export function linkAliases() {
     CONFIG_FORMAT_BUGS: '/config/format-bugs/',
     CONFIG_FORMAT_REPOSITORY: '/config/format-repository/',
     CONFIG_INDENT: '/config/indent/',
+    CONFIG_MINIMUM_RELEASE_AGE: '/config/minimum-release-age/',
     CONFIG_SEMVER_GROUPS: '/semver-groups/',
     CONFIG_SORT_AZ: '/config/sort-az/',
     CONFIG_SORT_EXPORTS: '/config/sort-exports/',
@@ -64,6 +65,7 @@ export function linkAliases() {
     HREF_PACKAGE_MANAGER: 'https://nodejs.org/api/packages.html#packagemanager',
     HREF_PEER_DEPENDENCIES: 'https://docs.npmjs.com/cli/v11/configuring-npm/package-json#peerDependencies',
     HREF_PNPM: 'https://pnpm.js.org/',
+    HREF_PNPM_MINIMUM_RELEASE_AGE: 'https://pnpm.io/settings#minimumreleaseage',
     HREF_PNPM_OVERRIDES: 'https://pnpm.io/settings#overrides',
     HREF_RESOLUTIONS: 'https://docs.npmjs.com/cli/v11/configuring-npm/package-json#resolutions',
     HREF_SYNCPACK_GITHUB_ACTION:

site/src/content/docs/command/update.mdx

@@ -1,6 +1,8 @@
 ---
 title: update
 description: Update dependency versions to latest releases from the npm registry
+sidebar:
+  badge: Updated
 ---
 
 import { Badge } from "@astrojs/starlight/components";
@@ -19,7 +21,7 @@ import SourceOption from "@partials/option/source.mdx";
 import SpecifierTypesOption from "@partials/option/specifier-types.mdx";
 import TargetOption from "@partials/option/target.mdx";
 
-Update dependencies in your monorepo to newer versions from the npm registry. Checks for available updates and modifies package.json files to use them. Unlike `fix` which synchronises versions across packages, `update` fetches the latest published versions. Use `--target` to control update strategy (latest, minor, patch).
+Update dependencies in your monorepo to newer versions from the npm registry. Checks for available updates and modifies package.json files — and `pnpm-workspace.yaml` catalog entries when present — to use them. Unlike `fix` which synchronises versions across packages, `update` fetches the latest published versions. Use `--target` to control update strategy (latest, minor, patch). Versions newer than [minimumReleaseAge](CONFIG_MINIMUM_RELEASE_AGE) are excluded by default to reduce supply chain attack risk.
 
 ## Examples
 
@@ -34,6 +36,10 @@ syncpack update --target patch
 syncpack update --check --source 'packages/pingu/package.json'
 # Update dependencies and devDependencies in the whole monorepo
 syncpack update --dependency-types dev,prod
+# Update only pnpm catalog entries in pnpm-workspace.yaml
+syncpack update --dependency-types pnpmCatalog
+# Update only the named pnpm catalog 'react18'
+syncpack update --dependency-types 'pnpmCatalog:react18'
 # Only update dependencies with a semver range specifier (^, ~, etc.)
 syncpack update --specifier-types range
 # Update dependencies where name exactly matches 'react'

site/src/content/docs/config/custom-types.mdx

@@ -1,6 +1,8 @@
 ---
 title: customTypes
 description: Define custom package.json properties to manage beyond standard dependency types
+sidebar:
+  badge: Updated
 ---
 
 import { Badge } from "@astrojs/starlight/components";

site/src/content/docs/config/minimum-release-age.mdx

@@ -0,0 +1,42 @@
+---
+title: minimumReleaseAge
+description: Skip updates to dependency versions published more recently than this threshold
+sidebar:
+  badge: New
+---
+
+When using the [update](COMMAND_UPDATE) command, the minimum age (in minutes) a published version must reach before syncpack will consider it as an available update. Reduces supply chain attack risk by ignoring versions that have been on the registry for less time than the configured window — most malicious releases are detected and unpublished within an hour.
+
+When this option is omitted from the [rcfile](TERM_RCFILE), syncpack reads `minimumReleaseAge` from the project's `pnpm-workspace.yaml` if present. When neither is set, it defaults to `1440` (one day). Setting `0` disables the filter.
+
+## Default Value
+
+```json title=".syncpackrc.json"
+{
+  "minimumReleaseAge": 1440
+}
+```
+
+## Examples
+
+Wait one week before considering a published version:
+
+```json title=".syncpackrc.json"
+{
+  "minimumReleaseAge": 10080
+}
+```
+
+Disable the filter and consider all published versions:
+
+```json title=".syncpackrc.json"
+{
+  "minimumReleaseAge": 0
+}
+```
+
+Inherit the value already configured for [pnpm](HREF_PNPM_MINIMUM_RELEASE_AGE) by omitting it from the rcfile:
+
+```yaml title="pnpm-workspace.yaml"
+minimumReleaseAge: 1440
+```

src/rcfile.rs

@@ -109,6 +109,11 @@ fn default_max_concurrent_requests() -> usize {
   12
 }
 
+/// Default `minimumReleaseAge` (one day in minutes) used when neither the
+/// rcfile nor `pnpm-workspace.yaml` provides a value. Resolution lives in
+/// `rcfile::from_disk::resolve_minimum_release_age`.
+pub(crate) const DEFAULT_MINIMUM_RELEASE_AGE: u64 = 1440;
+
 fn default_true() -> bool {
   true
 }
@@ -213,6 +218,11 @@ pub(crate) struct RawRcfile {
   pub indent: Option<String>,
   #[serde(default = "default_max_concurrent_requests")]
   pub max_concurrent_requests: usize,
+  /// User-supplied value from the rcfile. `None` means "fall back to
+  /// pnpm-workspace.yaml or the default" — resolution happens in
+  /// `from_disk::resolve_minimum_release_age`.
+  #[serde(default)]
+  pub minimum_release_age: Option<u64>,
   #[serde(default)]
   pub semver_groups: Vec<AnySemverGroup>,
   #[serde(default = "default_sort_az")]
@@ -358,6 +368,10 @@ impl TryFrom<RawRcfile> for Rcfile {
       format_repository: raw.format_repository,
       indent: raw.indent,
       max_concurrent_requests: raw.max_concurrent_requests,
+      // `from_disk` re-resolves this against pnpm-workspace.yaml. The
+      // `try_from`-only paths (tests, `Rcfile::default()`) get the
+      // default here so consumers always see a `u64`.
+      minimum_release_age: raw.minimum_release_age.unwrap_or(DEFAULT_MINIMUM_RELEASE_AGE),
       semver_groups,
       sort_az: raw.sort_az,
       sort_exports: raw.sort_exports,
@@ -378,6 +392,10 @@ pub struct Rcfile {
   pub format_repository: bool,
   pub indent: Option<String>,
   pub max_concurrent_requests: usize,
+  /// Skip dependency updates published less than this many minutes ago.
+  /// `0` disables age filtering. Resolved with precedence:
+  /// rcfile → `pnpm-workspace.yaml` → `DEFAULT_MINIMUM_RELEASE_AGE`.
+  pub minimum_release_age: u64,
   pub semver_groups: Vec<SemverGroup>,
   pub sort_az: Vec<String>,
   pub sort_exports: Vec<String>,

src/rcfile/from_disk.rs

@@ -1,11 +1,11 @@
 use {
   crate::{
     cli::Cli,
-    disk::{detect_formatting, DetectedFormatting, Disk, DiskIo, DiskIoError, File, NodeJsError},
+    disk::{detect_formatting, json_view, DetectedFormatting, Disk, DiskIo, DiskIoError, File, NodeJsError},
     errors::UnsupportedConfigErrors,
     rcfile::{
       from_disk::javascript::{get_javascript_contents, JsResult},
-      RawRcfile, Rcfile,
+      RawRcfile, Rcfile, DEFAULT_MINIMUM_RELEASE_AGE,
     },
   },
   log::debug,
@@ -16,6 +16,10 @@ use {
 #[path = "javascript.rs"]
 mod javascript;
 
+#[cfg(test)]
+#[path = "from_disk_test.rs"]
+mod from_disk_test;
+
 #[derive(Debug, Error)]
 pub enum JsRcfileError {
   #[error(transparent)]
@@ -165,8 +169,10 @@ impl Rcfile {
         return Err(RcfileError::UnsupportedConfig(UnsupportedConfigErrors(config_errors)));
       }
 
+      let rcfile_minimum_release_age = raw_rcfile.minimum_release_age;
       match Rcfile::try_from(raw_rcfile) {
-        Ok(rcfile) => {
+        Ok(mut rcfile) => {
+          rcfile.minimum_release_age = resolve_minimum_release_age(rcfile_minimum_release_age, disk);
           debug!("Config discovery completed in {:?}", start.elapsed());
           return Ok(File {
             filepath,
@@ -183,12 +189,34 @@ impl Rcfile {
     }
 
     debug!("No config file found, using defaults");
+    let rcfile = Rcfile {
+      minimum_release_age: resolve_minimum_release_age(None, disk),
+      ..Rcfile::default()
+    };
     debug!("Config discovery completed in {:?}", start.elapsed());
     Ok(File {
       filepath: disk.cwd.join(".syncpackrc"),
       formatting: DetectedFormatting::default(),
-      contents: Rcfile::default(),
+      contents: rcfile,
       dirty: false,
     })
   }
 }
+
+/// Resolve the effective `minimumReleaseAge` (in minutes). Precedence:
+/// 1. value from the rcfile (any user-set value, including `0`)
+/// 2. value from `pnpm-workspace.yaml`
+/// 3. `DEFAULT_MINIMUM_RELEASE_AGE` (1 day)
+pub(crate) fn resolve_minimum_release_age(rcfile_value: Option<u64>, disk: &Disk) -> u64 {
+  if let Some(value) = rcfile_value {
+    return value;
+  }
+  if let Some(yaml) = &disk.pnpm_workspace {
+    let json = json_view(yaml);
+    if let Some(value) = json.get("minimumReleaseAge").and_then(|v| v.as_u64()) {
+      debug!("Using minimumReleaseAge={value} from pnpm-workspace.yaml");
+      return value;
+    }
+  }
+  DEFAULT_MINIMUM_RELEASE_AGE
+}

src/rcfile/from_disk_test.rs

@@ -0,0 +1,60 @@
+use {
+  crate::{
+    disk::Disk,
+    rcfile::{from_disk::resolve_minimum_release_age, DEFAULT_MINIMUM_RELEASE_AGE},
+    test::mock::pnpm_yaml_file_from_str,
+  },
+  std::path::PathBuf,
+};
+
+fn empty_disk() -> Disk {
+  Disk {
+    cwd: PathBuf::from("/test"),
+    lerna_json: None,
+    package_json_files: Vec::new(),
+    package_json_root_idx: None,
+    package_manager: None,
+    pnpm_workspace: None,
+  }
+}
+
+#[test]
+fn rcfile_value_wins_over_pnpm_yaml() {
+  let mut disk = empty_disk();
+  disk.pnpm_workspace = Some(pnpm_yaml_file_from_str("minimumReleaseAge: 60\n"));
+  assert_eq!(resolve_minimum_release_age(Some(120), &disk), 120);
+}
+
+#[test]
+fn rcfile_value_of_zero_wins_over_pnpm_yaml() {
+  let mut disk = empty_disk();
+  disk.pnpm_workspace = Some(pnpm_yaml_file_from_str("minimumReleaseAge: 60\n"));
+  assert_eq!(resolve_minimum_release_age(Some(0), &disk), 0);
+}
+
+#[test]
+fn pnpm_yaml_used_when_rcfile_silent() {
+  let mut disk = empty_disk();
+  disk.pnpm_workspace = Some(pnpm_yaml_file_from_str("minimumReleaseAge: 60\n"));
+  assert_eq!(resolve_minimum_release_age(None, &disk), 60);
+}
+
+#[test]
+fn pnpm_yaml_zero_used_when_rcfile_silent() {
+  let mut disk = empty_disk();
+  disk.pnpm_workspace = Some(pnpm_yaml_file_from_str("minimumReleaseAge: 0\n"));
+  assert_eq!(resolve_minimum_release_age(None, &disk), 0);
+}
+
+#[test]
+fn falls_back_to_default_when_rcfile_silent_and_pnpm_yaml_silent() {
+  let mut disk = empty_disk();
+  disk.pnpm_workspace = Some(pnpm_yaml_file_from_str("packages:\n  - 'pkgs/*'\n"));
+  assert_eq!(resolve_minimum_release_age(None, &disk), DEFAULT_MINIMUM_RELEASE_AGE);
+}
+
+#[test]
+fn falls_back_to_default_when_no_pnpm_yaml() {
+  let disk = empty_disk();
+  assert_eq!(resolve_minimum_release_age(None, &disk), DEFAULT_MINIMUM_RELEASE_AGE);
+}