fix(@angular/cli): respect client-side release age settings during update resolution

Query the active package manager's release age gate configuration (like pnpm's `minimum-release-age` or yarn's `npmMinimalAgeGate`) and parse it into milliseconds.

This config limit is passed to the `RegistryClient` in `resolveUserUpdatePlan` and is used to filter out version candidates that violate the release-age gate by checking the package's publish timestamps in the metadata `time` record. This guarantees that `ng update` resolves targeting versions that satisfy all active client-side release-age restrictions.

Author: clydin

packages/angular/cli/src/commands/update/update-resolver.ts

@@ -24,6 +24,7 @@ export class RegistryClient {
   constructor(
     private packageManager: PackageManager,
     private logger: logging.LoggerApi,
+    readonly minReleaseAge: number = 0,
   ) {}
 
   async getMetadata(packageName: string): Promise<PackageMetadata | null> {
@@ -56,25 +57,39 @@ export class RegistryClient {
 
 export async function getSatisfyingVersion(
   registryClient: RegistryClient,
-  packageName: string,
-  versions: string[],
+  metadata: PackageMetadata,
   range: string,
   next?: boolean,
 ): Promise<string | null> {
   const options = { includePrerelease: next || undefined };
-  const candidates = versions.filter((v) => semver.satisfies(v, range, options));
+  let candidates = metadata.versions.filter((v) => semver.satisfies(v, range, options));
+
+  const minReleaseAge = registryClient.minReleaseAge;
+  if (minReleaseAge && metadata.time) {
+    const now = Date.now();
+    candidates = candidates.filter((version) => {
+      const publishTimeStr = metadata.time?.[version];
+      if (!publishTimeStr) {
+        return true;
+      }
+      const publishTime = Date.parse(publishTimeStr);
+
+      return now - publishTime >= minReleaseAge;
+    });
+  }
+
   const sorted = semver.rsort(candidates);
 
   for (const version of sorted) {
-    const manifest = await registryClient.getManifest(packageName, version);
+    const manifest = await registryClient.getManifest(metadata.name, version);
     if (manifest && !manifest.deprecated) {
       return version;
     }
   }
 
   // Fallback to deprecated versions if no non-deprecated version satisfies
   for (const version of sorted) {
-    const manifest = await registryClient.getManifest(packageName, version);
+    const manifest = await registryClient.getManifest(metadata.name, version);
     if (manifest) {
       return version;
     }
@@ -440,8 +455,7 @@ async function _buildPackageInfo(
   if (!installedVersion) {
     installedVersion = (await getSatisfyingVersion(
       registryClient,
-      name,
-      npmPackageJson.versions,
+      npmPackageJson,
       packageJsonRange,
     )) as VersionRange | undefined;
   }
@@ -470,8 +484,7 @@ async function _buildPackageInfo(
     } else {
       targetVersion = (await getSatisfyingVersion(
         registryClient,
-        name,
-        npmPackageJson.versions,
+        npmPackageJson,
         targetVersion,
       )) as VersionRange | undefined;
     }
@@ -561,7 +574,7 @@ async function resolvePackageVersion(
     return distTags['latest'] ?? null;
   }
 
-  return getSatisfyingVersion(registryClient, metadata.name, metadata.versions, range, next);
+  return getSatisfyingVersion(registryClient, metadata, range, next);
 }
 
 async function _addPackageGroup(
@@ -584,12 +597,8 @@ async function _addPackageGroup(
     version = distTags['latest'] as VersionRange;
   } else {
     version =
-      ((await getSatisfyingVersion(
-        registryClient,
-        metadata.name,
-        metadata.versions,
-        version,
-      )) as VersionRange | null) ?? version;
+      ((await getSatisfyingVersion(registryClient, metadata, version)) as VersionRange | null) ??
+      version;
   }
 
   const packageJson = await registryClient.getManifest(metadata.name, version);
@@ -679,8 +688,7 @@ async function _addPeerDependencies(
         if (peerMetadata) {
           const resolvedInstalledVersion = await getSatisfyingVersion(
             registryClient,
-            peer,
-            peerMetadata.versions,
+            peerMetadata,
             packageJsonRange,
           );
 
@@ -765,7 +773,8 @@ export async function resolveUserUpdatePlan(
   const usingYarn = options.packageManager === 'yarn';
 
   const packages = _buildPackageList(options, npmDeps, logger);
-  const registryClient = new RegistryClient(packageManager, logger);
+  const minReleaseAge = await packageManager.getMinimumReleaseAge();
+  const registryClient = new RegistryClient(packageManager, logger, minReleaseAge);
 
   const getOrFetchPackageMetadata = async (
     packageName: string,

packages/angular/cli/src/commands/update/update-resolver_spec.ts

@@ -11,7 +11,7 @@ import { mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'nod
 import { tmpdir } from 'node:os';
 import * as path from 'node:path';
 import * as semver from 'semver';
-import type { PackageManager, PackageManifest } from '../../package-managers';
+import type { PackageManager, PackageManifest, PackageMetadata } from '../../package-managers';
 import {
   RegistryClient,
   UpdateResolverOptions,
@@ -53,7 +53,7 @@ describe('UpdateResolver', () => {
   const MOCK_REGISTRY: Record<
     string,
     {
-      metadata: { name: string; 'dist-tags': Record<string, string>; versions: string[] };
+      metadata: PackageMetadata;
       manifests: Record<string, PackageManifest>;
     }
   > = {
@@ -155,9 +155,26 @@ describe('UpdateResolver', () => {
         '0.8.26': { name: 'zone.js', version: '0.8.26' },
       },
     },
+    '@angular-devkit-tests/update-release-age': {
+      metadata: {
+        name: '@angular-devkit-tests/update-release-age',
+        'dist-tags': { latest: '1.2.0' },
+        versions: ['1.0.0', '1.1.0', '1.2.0'],
+        time: {
+          '1.0.0': '2026-06-01T00:00:00.000Z',
+          '1.1.0': new Date(Date.now() - 5 * 24 * 60 * 60 * 1000).toISOString(),
+          '1.2.0': new Date(Date.now() - 1 * 24 * 60 * 60 * 1000).toISOString(),
+        },
+      },
+      manifests: {
+        '1.0.0': { name: '@angular-devkit-tests/update-release-age', version: '1.0.0' },
+        '1.1.0': { name: '@angular-devkit-tests/update-release-age', version: '1.1.0' },
+        '1.2.0': { name: '@angular-devkit-tests/update-release-age', version: '1.2.0' },
+      },
+    },
   };
 
-  async function resolvePlan(options: UpdateResolverOptions) {
+  async function resolvePlan(options: UpdateResolverOptions, minReleaseAge = 0) {
     const mockPackageManager = {
       name: 'npm',
       async getRegistryMetadata(packageName: string) {
@@ -166,6 +183,9 @@ describe('UpdateResolver', () => {
       async getRegistryManifest(packageName: string, version: string) {
         return MOCK_REGISTRY[packageName]?.manifests[version] ?? null;
       },
+      async getMinimumReleaseAge() {
+        return minReleaseAge;
+      },
     } as unknown as PackageManager;
 
     return resolveUserUpdatePlan(options, mockPackageManager, logger);
@@ -333,6 +353,44 @@ describe('UpdateResolver', () => {
     const result = readFileSync(path.join(tempRoot, 'package.json'), 'utf8');
     expect(result.endsWith('}')).toBeTrue();
   });
+
+  it('respects minimumReleaseAge and filters out versions published too recently', async () => {
+    createMockWorkspace(
+      {
+        name: 'blah',
+        dependencies: {
+          '@angular-devkit-tests/update-release-age': '1.0.0',
+        },
+      },
+      {
+        '@angular-devkit-tests/update-release-age': { version: '1.0.0' },
+      },
+    );
+
+    const planNoFilter = await resolvePlan(
+      {
+        packages: ['@angular-devkit-tests/update-release-age'],
+        workspaceRoot: tempRoot,
+      },
+      0,
+    );
+
+    expect(planNoFilter.packagesToUpdate.get('@angular-devkit-tests/update-release-age')).toBe(
+      '1.2.0',
+    );
+
+    const planWithFilter = await resolvePlan(
+      {
+        packages: ['@angular-devkit-tests/update-release-age'],
+        workspaceRoot: tempRoot,
+      },
+      3 * 24 * 60 * 60 * 1000,
+    );
+
+    expect(planWithFilter.packagesToUpdate.get('@angular-devkit-tests/update-release-age')).toBe(
+      '1.1.0',
+    );
+  });
 });
 
 describe('RegistryClient', () => {

packages/angular/cli/src/package-managers/package-manager-descriptor.ts

@@ -22,11 +22,13 @@ import {
   parseNpmLikeError,
   parseNpmLikeManifest,
   parseNpmLikeMetadata,
+  parsePnpmReleaseAge,
   parseYarnClassicDependencies,
   parseYarnClassicError,
   parseYarnClassicManifest,
   parseYarnClassicMetadata,
   parseYarnModernDependencies,
+  parseYarnReleaseAge,
 } from './parsers';
 
 /**
@@ -87,6 +89,9 @@ export interface PackageManagerDescriptor {
   /** The command to list all installed dependencies. */
   readonly listDependenciesCommand: readonly string[];
 
+  /** The command to get the release age configuration value. */
+  readonly getReleaseAgeConfigCommand?: readonly string[];
+
   /** The command to get the current package name. */
   readonly getPackageNameCommand?: readonly string[];
 
@@ -125,6 +130,9 @@ export interface PackageManagerDescriptor {
 
     /** A function to parse the output when a command fails. */
     getError?: (output: string, logger?: Logger) => ErrorInfo | null;
+
+    /** A function to parse the output of the release age config command. */
+    getReleaseAge?: (output: string) => number;
   };
 
   /** A function that checks if a structured error represents a "package not found" error. */
@@ -200,13 +208,15 @@ export const SUPPORTED_PACKAGE_MANAGERS = {
     getRegistryOptions: (registry: string) => ({ env: { YARN_NPM_REGISTRY_SERVER: registry } }),
     versionCommand: ['--version'],
     listDependenciesCommand: ['info', '--name-only', '--json'],
+    getReleaseAgeConfigCommand: ['config', 'get', 'npmMinimalAgeGate'],
     getManifestCommand: ['npm', 'info', '--json'],
     viewCommandFieldArgFormatter: (fields) => ['--fields', fields.join(',')],
     outputParsers: {
       listDependencies: parseYarnModernDependencies,
       getRegistryManifest: parseNpmLikeManifest,
       getRegistryMetadata: parseNpmLikeMetadata,
       getError: parseNpmLikeError,
+      getReleaseAge: parseYarnReleaseAge,
     },
     isNotFound: isKnownNotFound,
   },
@@ -254,6 +264,7 @@ export const SUPPORTED_PACKAGE_MANAGERS = {
     getRegistryOptions: (registry: string) => ({ args: ['--registry', registry] }),
     versionCommand: ['--version'],
     listDependenciesCommand: ['list', '--depth=0', '--json'],
+    getReleaseAgeConfigCommand: ['config', 'get', 'minimum-release-age'],
     getPackageNameCommand: ['pkg', 'get', 'name'],
     getManifestCommand: ['view', '--json'],
     viewCommandFieldArgFormatter: (fields) => [...fields],
@@ -262,6 +273,7 @@ export const SUPPORTED_PACKAGE_MANAGERS = {
       getRegistryManifest: parseNpmLikeManifest,
       getRegistryMetadata: parseNpmLikeMetadata,
       getError: parseNpmLikeError,
+      getReleaseAge: parsePnpmReleaseAge,
     },
     isNotFound: isKnownNotFound,
   },

packages/angular/cli/src/package-managers/package-manager.ts

@@ -21,6 +21,7 @@ import { Logger } from './logger';
 import { PackageManagerDescriptor } from './package-manager-descriptor';
 import { PackageManifest, PackageMetadata } from './package-metadata';
 import { InstalledPackage } from './package-tree';
+import { parseYarnReleaseAge } from './parsers';
 
 /**
  * The fields to request from the registry for package metadata.
@@ -93,6 +94,7 @@ export class PackageManager {
   readonly #initializationError?: Error;
   #dependencyCache: Map<string, InstalledPackage> | null = null;
   #version: string | undefined;
+  #minimumReleaseAge: Promise<number> | undefined;
   #activeTasks = 0;
   readonly #pendingTasks: (() => void)[] = [];
   readonly #maxConcurrent = 5;
@@ -737,6 +739,44 @@ export class PackageManager {
 
     return { workingDirectory, cleanup };
   }
+
+  /**
+   * Gets the active release age gate limit in milliseconds.
+   * @returns A promise that resolves to the limit in milliseconds, or `0` if not set.
+   */
+  async getMinimumReleaseAge(): Promise<number> {
+    if (this.#minimumReleaseAge === undefined) {
+      this.#minimumReleaseAge = this.#resolveMinimumReleaseAge();
+    }
+
+    return this.#minimumReleaseAge;
+  }
+
+  async #resolveMinimumReleaseAge(): Promise<number> {
+    if (this.descriptor.getReleaseAgeConfigCommand && this.descriptor.outputParsers.getReleaseAge) {
+      try {
+        const { stdout } = await this.#run(this.descriptor.getReleaseAgeConfigCommand);
+
+        const resolved = this.descriptor.outputParsers.getReleaseAge(stdout);
+        if (resolved > 0) {
+          return resolved;
+        }
+      } catch {
+        // Ignore failures and fallback to environment variables
+      }
+    }
+
+    const envValue =
+      process.env.NPM_CONFIG_MIN_RELEASE_AGE ??
+      process.env.MINIMUM_RELEASE_AGE ??
+      process.env.MIN_RELEASE_AGE;
+
+    if (envValue) {
+      return parseYarnReleaseAge(envValue);
+    }
+
+    return 0;
+  }
 }
 
 /**