CI: Use minimumReleaseAge in pnpm workspace files by bgw · Pull Request #92480 · vercel/next.js

bgw · 2026-04-07T20:48:30Z

Depends on pnpm 10.x: #92283

Enables https://pnpm.io/settings#minimumreleaseage to protect against supply-chain attacks.

The minimumReleaseAgeExclude list is copied from https://github.com/vercel/front/blob/1c3a9458d970265e1fb5ec14ddfed9a0eab2abef/pnpm-workspace.yaml#L13, with react and react-dom added.

bgw · 2026-04-07T20:48:48Z

CI: Use minimumReleaseAge in pnpm workspace files #92480 👈 (View in Graphite)
CI: Update and cleanup next-stats-action, force using pnpm 10.33.0 #92475
canary

This stack of pull requests is managed by Graphite. Learn more about stacking.

nextjs-bot · 2026-04-07T21:11:34Z

Stats from current PR

✅ No significant changes detected

📊 All Metrics

📖 Metrics Glossary

Dev Server Metrics:

Listen = TCP port starts accepting connections
First Request = HTTP server returns successful response
Cold = Fresh build (no cache)
Warm = With cached build artifacts

Build Metrics:

Fresh = Clean build (no .next directory)
Cached = With existing .next directory

Change Thresholds:

Time: Changes < 50ms AND < 10%, OR < 2% are insignificant
Size: Changes < 1KB AND < 1% are insignificant
All other changes are flagged to catch regressions

⚡ Dev Server

Metric	Canary	PR	Change	Trend
Cold (Listen)	455ms	456ms	✓	▁█▅▅▅
Cold (Ready in log)	440ms	440ms	✓	▁▂▅▇▄
Cold (First Request)	1.115s	1.147s	✓	▆▁▁▂▂
Warm (Listen)	456ms	456ms	✓	█▁██▁
Warm (Ready in log)	443ms	449ms	✓	▂▂▇█▁
Warm (First Request)	338ms	346ms	✓	▃▄▇█▄

📦 Dev Server (Webpack) (Legacy)

📦 Dev Server (Webpack)

Metric	Canary	PR	Change	Trend
Cold (Listen)	456ms	456ms	✓	▁▁▅▁▅
Cold (Ready in log)	441ms	440ms	✓	▁▃▆▂▂
Cold (First Request)	1.975s	1.968s	✓	▇▇▇▆▁
Warm (Listen)	456ms	456ms	✓	▁▁▁▁▁
Warm (Ready in log)	442ms	440ms	✓	▁▂▅▁▂
Warm (First Request)	2.063s	1.968s	✓	▆▇█▆▁

⚡ Production Builds

Metric	Canary	PR	Change	Trend
Fresh Build	3.804s	3.758s	✓	▇▆██▁
Cached Build	3.781s	3.820s	✓	▄███▄

📦 Production Builds (Webpack) (Legacy)

📦 Production Builds (Webpack)

Metric	Canary	PR	Change	Trend
Fresh Build	14.548s	14.602s	✓	▁▂▅▂▂
Cached Build	14.661s	14.735s	✓	▁▂▇▃▄
node_modules Size	488 MB	488 MB	✓	█████

📦 Bundle Sizes

Bundle Sizes

⚡ Turbopack

Client

Main Bundles

	Canary	PR	Change
01zz1z_sccief.js gzip	155 B	N/A	-
02fkg8wfh0iju.js gzip	9.19 kB	N/A	-
030plil3tn3n7.js gzip	70.8 kB	N/A	-
050zwt5xh_0tx.js gzip	10.4 kB	N/A	-
087fzjd-gvlzv.js gzip	450 B	N/A	-
0cz1d0mv5g_q7.js gzip	39.4 kB	39.4 kB	✓
0dsty6kq2hert.js gzip	155 B	N/A	-
0l26a3spazyyn.js gzip	151 B	N/A	-
0lxr_fzneozp-.js gzip	49 kB	N/A	-
0ppxcl_z43mad.js gzip	8.52 kB	N/A	-
0yzgvfimihkd2.js gzip	157 B	N/A	-
0ziljd71kuixt.js gzip	157 B	N/A	-
19oha6-znmkcv.js gzip	8.55 kB	N/A	-
1elt1qium-r2m.css gzip	115 B	115 B	✓
1pciyc-0_znyg.js gzip	155 B	N/A	-
2_5rjb7lqxntf.js gzip	221 B	221 B	✓
2035t1-zcnaw3.js gzip	65.7 kB	N/A	-
219prxwxgaalc.js gzip	7.61 kB	N/A	-
26elcgxnn9zjd.js gzip	8.52 kB	N/A	-
2900hudr6gvm0.js gzip	2.28 kB	N/A	-
29sfmxk0tawpd.js gzip	156 B	N/A	-
2lv2js3kmdeho.js gzip	8.48 kB	N/A	-
2myt_shpnyhzu.js gzip	156 B	N/A	-
2rehygrd36hqv.js gzip	8.58 kB	N/A	-
2s6nyomvmvh9r.js gzip	155 B	N/A	-
2srwswih0m9_h.js gzip	13.3 kB	N/A	-
2w-zjp8tyfrur.js gzip	159 B	N/A	-
3-jz00s4w-r6h.js gzip	13 kB	N/A	-
3-p9p9mheqhzx.js gzip	8.55 kB	N/A	-
31030bryqpolg.js gzip	8.53 kB	N/A	-
31dx5nmrzzuy7.js gzip	225 B	N/A	-
33sgz0bml7vgv.js gzip	155 B	N/A	-
39x4zj5mjb4d_.js gzip	9.77 kB	N/A	-
3ii1q6weo9fxz.js gzip	162 B	N/A	-
3k-48b78ys_vy.js gzip	10.1 kB	N/A	-
3m7-5rfj0avoz.js gzip	12.9 kB	N/A	-
3uqce_6sa526g.js gzip	8.47 kB	N/A	-
3yurjqk-sjs3y.js gzip	1.46 kB	N/A	-
3z62yfdtiw-rc.js gzip	168 B	N/A	-
40ybjx9c192n0.js gzip	13.8 kB	N/A	-
421vzwdt9j1b_.js gzip	5.62 kB	N/A	-
turbopack-0a..gg-u.js gzip	4.19 kB	N/A	-
turbopack-0j..4h2c.js gzip	4.18 kB	N/A	-
turbopack-0w..b55q.js gzip	4.16 kB	N/A	-
turbopack-1b..7qjv.js gzip	4.18 kB	N/A	-
turbopack-1c..yhu3.js gzip	4.18 kB	N/A	-
turbopack-1d..d769.js gzip	4.18 kB	N/A	-
turbopack-1u..hrqd.js gzip	4.18 kB	N/A	-
turbopack-20..21vq.js gzip	4.17 kB	N/A	-
turbopack-21..e4ra.js gzip	4.18 kB	N/A	-
turbopack-2p..t2ge.js gzip	4.18 kB	N/A	-
turbopack-2s..og4f.js gzip	4.18 kB	N/A	-
turbopack-2t..h5wq.js gzip	4.18 kB	N/A	-
turbopack-2u..rcf4.js gzip	4.18 kB	N/A	-
turbopack-3e..1qn1.js gzip	4.18 kB	N/A	-
03dgzoo-qf3sm.js gzip	N/A	9.19 kB	-
05tx5f25dlivn.js gzip	N/A	8.53 kB	-
0bn4jaju4d74b.js gzip	N/A	49 kB	-
0c7ez6p2qc57f.js gzip	N/A	5.62 kB	-
0duvj3qk5pvgn.js gzip	N/A	13.8 kB	-
0h6hofq3h6-42.js gzip	N/A	158 B	-
0ir6-1duadm2z.js gzip	N/A	158 B	-
0lm29e2y9kx_b.js gzip	N/A	153 B	-
0m-34rm9w_wpm.js gzip	N/A	7.6 kB	-
0m21op30uewwb.js gzip	N/A	156 B	-
0qnwuk92m8i7o.js gzip	N/A	10.4 kB	-
0r4wrn6n0ue2m.js gzip	N/A	8.55 kB	-
0rp0fodtbt_6m.js gzip	N/A	8.52 kB	-
0sfck-km4dl1k.js gzip	N/A	8.47 kB	-
0x0xuhmxzwkp8.js gzip	N/A	8.47 kB	-
1_ziiz--jvfsp.js gzip	N/A	158 B	-
1-wdvgxnzicj7.js gzip	N/A	1.46 kB	-
11u6nxujb2eg4.js gzip	N/A	450 B	-
1dyfoo24ajqxm.js gzip	N/A	162 B	-
1me96x5vwv1sy.js gzip	N/A	65.7 kB	-
1zc-k7aaakb6o.js gzip	N/A	159 B	-
29dt6m7d89-j7.js gzip	N/A	157 B	-
2d6k-a9uznmvb.js gzip	N/A	156 B	-
2e2z-03lx4fjc.js gzip	N/A	13 kB	-
2h70zbiqaf4bf.js gzip	N/A	158 B	-
2k9ax08cjl2id.js gzip	N/A	12.9 kB	-
2lms6k76q5-6m.js gzip	N/A	13.3 kB	-
2qx4twi9i3xus.js gzip	N/A	2.28 kB	-
2srnqic6tvxxd.js gzip	N/A	8.52 kB	-
2wrq5zps69nfq.js gzip	N/A	70.8 kB	-
3-34t1k915rbt.js gzip	N/A	170 B	-
30l7m4nayp73a.js gzip	N/A	8.55 kB	-
3h_ecpiaatwgc.js gzip	N/A	10.1 kB	-
3ity0aahajapd.js gzip	N/A	225 B	-
3nm_i02apa655.js gzip	N/A	160 B	-
3oa4b8uiuh01x.js gzip	N/A	157 B	-
3wrhpuc-j1aw9.js gzip	N/A	9.77 kB	-
43mlw9dy_8f02.js gzip	N/A	8.58 kB	-
turbopack-02..fq93.js gzip	N/A	4.19 kB	-
turbopack-0c.._bts.js gzip	N/A	4.18 kB	-
turbopack-0e..-d5r.js gzip	N/A	4.16 kB	-
turbopack-0k..1pc7.js gzip	N/A	4.18 kB	-
turbopack-13..a-km.js gzip	N/A	4.18 kB	-
turbopack-2_..2dke.js gzip	N/A	4.18 kB	-
turbopack-23..lkou.js gzip	N/A	4.18 kB	-
turbopack-24..jdhb.js gzip	N/A	4.18 kB	-
turbopack-2a..y2ca.js gzip	N/A	4.18 kB	-
turbopack-2q..7av9.js gzip	N/A	4.18 kB	-
turbopack-2w..zlx4.js gzip	N/A	4.18 kB	-
turbopack-37..786c.js gzip	N/A	4.18 kB	-
turbopack-3f..ivxr.js gzip	N/A	4.18 kB	-
turbopack-3g..kcks.js gzip	N/A	4.18 kB	-
Total	464 kB	464 kB	⚠️ +25 B

Server

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	718 B	716 B	✓
Total	718 B	716 B	✅ -2 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	430 B	435 B	🔴 +5 B (+1%)
Total	430 B	435 B	⚠️ +5 B

📦 Webpack

Client

Main Bundles

	Canary	PR	Change
5528-HASH.js gzip	5.54 kB	N/A	-
6280-HASH.js gzip	60.7 kB	N/A	-
6335.HASH.js gzip	169 B	N/A	-
912-HASH.js gzip	4.59 kB	N/A	-
e8aec2e4-HASH.js gzip	62.8 kB	N/A	-
framework-HASH.js gzip	59.7 kB	59.7 kB	✓
main-app-HASH.js gzip	256 B	254 B	✓
main-HASH.js gzip	39.4 kB	39.3 kB	✓
webpack-HASH.js gzip	1.68 kB	1.68 kB	✓
262-HASH.js gzip	N/A	4.59 kB	-
2889.HASH.js gzip	N/A	169 B	-
5602-HASH.js gzip	N/A	5.55 kB	-
6948ada0-HASH.js gzip	N/A	62.8 kB	-
9544-HASH.js gzip	N/A	61.4 kB	-
Total	235 kB	235 kB	⚠️ +579 B

Polyfills

	Canary	PR	Change
polyfills-HASH.js gzip	39.4 kB	39.4 kB	✓
Total	39.4 kB	39.4 kB	✓

Pages

	Canary	PR	Change
_app-HASH.js gzip	194 B	194 B	✓
_error-HASH.js gzip	183 B	180 B	🟢 3 B (-2%)
css-HASH.js gzip	331 B	330 B	✓
dynamic-HASH.js gzip	1.81 kB	1.81 kB	✓
edge-ssr-HASH.js gzip	256 B	256 B	✓
head-HASH.js gzip	351 B	352 B	✓
hooks-HASH.js gzip	384 B	383 B	✓
image-HASH.js gzip	580 B	581 B	✓
index-HASH.js gzip	260 B	260 B	✓
link-HASH.js gzip	2.51 kB	2.51 kB	✓
routerDirect..HASH.js gzip	320 B	319 B	✓
script-HASH.js gzip	386 B	386 B	✓
withRouter-HASH.js gzip	315 B	315 B	✓
1afbb74e6ecf..834.css gzip	106 B	106 B	✓
Total	7.98 kB	7.98 kB	✅ -1 B

Server

Edge SSR

	Canary	PR	Change
edge-ssr.js gzip	125 kB	126 kB	✓
page.js gzip	273 kB	273 kB	✓
Total	398 kB	399 kB	⚠️ +182 B

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	617 B	614 B	✓
middleware-r..fest.js gzip	156 B	155 B	✓
middleware.js gzip	43.9 kB	44.4 kB	🔴 +461 B (+1%)
edge-runtime..pack.js gzip	842 B	842 B	✓
Total	45.5 kB	46 kB	⚠️ +457 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	715 B	718 B	✓
Total	715 B	718 B	⚠️ +3 B

Build Cache

	Canary	PR	Change
0.pack gzip	4.37 MB	4.37 MB	🟢 6.88 kB (0%)
index.pack gzip	114 kB	113 kB	✓
index.pack.old gzip	115 kB	115 kB	✓
Total	4.6 MB	4.6 MB	✅ -8.17 kB

🔄 Shared (bundler-independent)

Runtimes

	Canary	PR	Change
app-page-exp...dev.js gzip	342 kB	342 kB	✓
app-page-exp..prod.js gzip	189 kB	189 kB	✓
app-page-tur...dev.js gzip	341 kB	341 kB	✓
app-page-tur..prod.js gzip	189 kB	189 kB	✓
app-page-tur...dev.js gzip	338 kB	338 kB	✓
app-page-tur..prod.js gzip	187 kB	187 kB	✓
app-page.run...dev.js gzip	338 kB	338 kB	✓
app-page.run..prod.js gzip	187 kB	187 kB	✓
app-route-ex...dev.js gzip	76.9 kB	76.9 kB	✓
app-route-ex..prod.js gzip	52.5 kB	52.5 kB	✓
app-route-tu...dev.js gzip	76.9 kB	76.9 kB	✓
app-route-tu..prod.js gzip	52.5 kB	52.5 kB	✓
app-route-tu...dev.js gzip	76.5 kB	76.5 kB	✓
app-route-tu..prod.js gzip	52.2 kB	52.2 kB	✓
app-route.ru...dev.js gzip	76.5 kB	76.5 kB	✓
app-route.ru..prod.js gzip	52.2 kB	52.2 kB	✓
dist_client_...dev.js gzip	324 B	324 B	✓
dist_client_...dev.js gzip	326 B	326 B	✓
dist_client_...dev.js gzip	318 B	318 B	✓
dist_client_...dev.js gzip	317 B	317 B	✓
pages-api-tu...dev.js gzip	43.9 kB	43.9 kB	✓
pages-api-tu..prod.js gzip	33.4 kB	33.4 kB	✓
pages-api.ru...dev.js gzip	43.8 kB	43.8 kB	✓
pages-api.ru..prod.js gzip	33.4 kB	33.4 kB	✓
pages-turbo....dev.js gzip	53.2 kB	53.2 kB	✓
pages-turbo...prod.js gzip	39 kB	39 kB	✓
pages.runtim...dev.js gzip	53.2 kB	53.2 kB	✓
pages.runtim..prod.js gzip	39 kB	39 kB	✓
server.runti..prod.js gzip	62.8 kB	62.8 kB	✓
Total	3.03 MB	3.03 MB	✅ -5 B

📎 Tarball URL

https://vercel-packages.vercel.app/next/commits/f506dc1d1f6d4079a54820faa1dcac44c0fb4a43/next

mmastrac

Approved, but I'd also approve a longer window.

nextjs-bot · 2026-04-08T01:53:59Z

Tests Passed

eps1lon · 2026-04-08T10:10:52Z

+  - react-dom-*
+  - react-experimental-builtin
+  - react-is
+  - react-is-builtin


Does this work on aliases? This would be odd since you could effectively defeat the minimumReleaseAgeExclude by aliasing a malicious package to a trusted alias.

Yes, it applies after resolution of aliases. At least that's what deepwiki claimed when I asked it.

If it applies after resolution, why list the *-builtin ones? Those are aliases not real npm packages.

Maybe I'm not explaining this right. https://deepwiki.com/search/does-minimumreleaseageexclude_37cce44b-8975-4a63-a862-087b133fa393

Based on the codebase, minimumReleaseAgeExclude does use alias names if the package.json defines an alias for a package. The dependency resolution process resolves aliases before applying rules, so the exclusion logic works with the resolved (aliased) module names.

That implies that we must list the *-builtin package names.

That's not how it works though:

ERR_PNPM_NO_MATURE_MATCHING_VERSION Version 0.28.0-canary-404b38c7-20260408 (released 4 minutes ago) of scheduler-builtin does not meet the minimumReleaseAge constraint
-- https://github.com/vercel/next.js/actions/runs/24153975697/job/70488293803#step:7:41

Otherwise you could bypass it with an aliased install.

Fixing in #92535

Not sure why you used deepwiki. Is this some AI summary? pnpm docs are pretty clear:

The exclusion works by package name and applies to all versions of that package.

-- https://pnpm.io/settings#minimumreleaseageexclude

I meant dependency resolution by the package manager. The model used by deepwiki thought we were talking about module resolution at runtime.

bgw · 2026-04-08T18:35:52Z

Merge activity

Apr 8, 6:35 PM UTC: @bgw merged this pull request with Graphite.

nextjs-bot added the created-by: Turbopack team PRs by the Turbopack team. label Apr 7, 2026

bgw mentioned this pull request Apr 7, 2026

CI: Update and cleanup next-stats-action, force using pnpm 10.33.0 #92475

Merged

bgw changed the base branch from bgw/stats-action-updates to graphite-base/92480 April 7, 2026 21:17

bgw force-pushed the bgw/minimum-release-age branch from 6e8c367 to 5c052de Compare April 7, 2026 21:18

bgw force-pushed the graphite-base/92480 branch from 6ccd1ac to 68d6729 Compare April 7, 2026 21:18

graphite-app Bot changed the base branch from graphite-base/92480 to canary April 7, 2026 21:18

bgw force-pushed the bgw/minimum-release-age branch from 5c052de to 345006c Compare April 7, 2026 21:18

bgw marked this pull request as ready for review April 7, 2026 23:04

bgw requested review from eps1lon, ijjk, lukesandberg, mmastrac and ztanner April 7, 2026 23:04

ztanner approved these changes Apr 7, 2026

View reviewed changes

mmastrac approved these changes Apr 7, 2026

View reviewed changes

eps1lon reviewed Apr 7, 2026

View reviewed changes

Comment thread .github/pnpm-workspace.yaml Outdated

bgw force-pushed the bgw/minimum-release-age branch from 345006c to 38fa9ec Compare April 8, 2026 01:44

mmastrac approved these changes Apr 8, 2026

View reviewed changes

eps1lon reviewed Apr 8, 2026

View reviewed changes

bgw added 4 commits April 8, 2026 08:32

CI: Use minimumReleaseAge in pnpm workspace files

1c3cc86

Also exclude react and react-dom

a0ca022

Add more packages to exclude list

4256a35

Set blockExoticSubdeps as well

f506dc1

bgw force-pushed the bgw/minimum-release-age branch from 38fa9ec to f506dc1 Compare April 8, 2026 16:18

bgw merged commit 5abeaea into canary Apr 8, 2026
312 of 314 checks passed

bgw deleted the bgw/minimum-release-age branch April 8, 2026 18:35

github-actions Bot added the locked label Apr 24, 2026

github-actions Bot locked as resolved and limited conversation to collaborators Apr 24, 2026

Conversation

bgw commented Apr 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bgw commented Apr 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nextjs-bot commented Apr 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Stats from current PR

✅ No significant changes detected

⚡ Dev Server

📦 Dev Server (Webpack)

⚡ Production Builds

📦 Production Builds (Webpack)

Bundle Sizes

⚡ Turbopack

📦 Webpack

🔄 Shared (bundler-independent)

Uh oh!

mmastrac left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

nextjs-bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Tests Passed

Uh oh!

eps1lon Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

bgw Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

eps1lon Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bgw Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

eps1lon Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

eps1lon Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

eps1lon Apr 8, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

bgw commented Apr 8, 2026

Merge activity

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

bgw commented Apr 7, 2026 •

edited

Loading

bgw commented Apr 7, 2026 •

edited

Loading

nextjs-bot commented Apr 7, 2026 •

edited

Loading

nextjs-bot commented Apr 8, 2026 •

edited

Loading

eps1lon Apr 8, 2026 •

edited

Loading

bgw Apr 8, 2026 •

edited

Loading