[rush] minimumReleaseAge in pnpm-config.json is written to package.json but pnpm only reads it from .npmrc/pnpm-workspace.yaml

[calm-mlin]

Summary

The minimumReleaseAge and minimumReleaseAgeExclude settings in common/config/rush/pnpm-config.json are written to common/temp/package.json under the pnpm key, but pnpm does not read these settings from package.json. pnpm only reads them from .npmrc (as minimum-release-age) or pnpm-workspace.yaml.

As a result, the settings are silently ignored and provide no protection.

Steps to Reproduce

1. Set "minimumReleaseAge": 20160 in common/config/rush/pnpm-config.json (14 days in minutes)
2. Add a dependency on a package with a very recent release (e.g., released 2 days ago)
3. Run rush update
4. Expected: rush update fails with ERR_PNPM_NO_MATURE_MATCHING_VERSION
5. Actual: rush update succeeds — the setting is ignored

Root Cause

Rush's InstallHelpers.generateCommonPackageJson() writes minimumReleaseAge to common/temp/package.json:

{
  "pnpm": {
    "minimumReleaseAge": 20160,
    "minimumReleaseAgeExclude": []
  }
}

However, pnpm's config reader does not include minimumReleaseAge in the set of fields it reads from package.json's pnpm section. The supported fields from package.json are: overrides, packageExtensions, peerDependencyRules, allowedDeprecatedVersions, patchedDependencies, allowBuilds, ignoredOptionalDependencies, supportedArchitectures, requiredScripts, configDependencies, auditConfig, updateConfig.

pnpm reads minimumReleaseAge from:

• pnpm-workspace.yaml (as minimumReleaseAge)
• .npmrc (as minimum-release-age)

Workaround

Add minimum-release-age=20160 directly to common/config/rush/.npmrc. Rush copies this file to common/temp/.npmrc, which pnpm does read.

Environment

• Rush: 5.172.1
• pnpm: 10.33.0
• Node: 24.x

Suggested Fix

Rush should write minimumReleaseAge and minimumReleaseAgeExclude to either:

• The generated .npmrc file (as minimum-release-age and minimum-release-age-exclude), or
• The generated pnpm-workspace.yaml file

instead of (or in addition to) package.json.

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question	Answer
@microsoft/rush globally installed version?	5.172.1
rushVersion from rush.json?	5.172.1
pnpmVersion, npmVersion, or yarnVersion from rush.json?	10.33.0
(if pnpm) useWorkspaces from pnpm-config.json?	true
Operating system?	Mac
Would you consider contributing a PR?	Yes
Node.js version (node -v)?	24.13.0

[iclanton]

I think the ideal fix would be to write it to pnpm-workspace.yaml. @calm-mlin - you want to put this together?

[benkenawell]

I'd like to bump this after the Tanstack compromise yesterday. It's great that pnpm supports all these options, but rush doesn't seem to give us a good way to actually use them