Interactive Update pulls in Alpha / Beta versions if minimumReleaseVersion is set

### Verify latest release

- [x] I verified that the issue exists in the latest pnpm release

### pnpm version

10.16.1

### Which area(s) of pnpm are affected? (leave empty if unsure)

_No response_

### Link to the code that reproduces this issue or a replay of the bug

_No response_

### Reproduction steps

pnpm-workspace.yaml
minimumReleaseAge: 1440
 
package.json
"@tanstack/react-router": "^1.131.41",
 
run pnpm up -i -L -r
@tanstack/react-router                                    1.131.41 ❯ 1.131.44

> Updates package.json to:
> "@tanstack/react-router": "1.132.0-alpha.21",

### Describe the Bug

Hi, 

Thanks for providing a solid and good option to address supply chain attack issues! This is an enormously helpful feature.

The behaviour of pnpm up -i -L (-r) is inconsistent if minimumReleaseAge is set. When minimumReleaseAge is not set, only normal releases are installed. If it is set, and the package has been updated within the period defined by minimumReleaseAge, but an alpha/beta/rc version has been released after the last installed version, sometimes this version is installed.

Example: 

> pnpm-workspace.yaml
> minimumReleaseAge: 1440
> 
> package.json
> "@tanstack/react-router": "^1.131.41",
> 
> run pnpm up -i -L -r
> @tanstack/react-router                                    1.131.41 ❯ 1.131.44
> 
> Updates package.json to:
> "@tanstack/react-router": "1.132.0-alpha.21",

When minimumReleaseAge is not set, the 1.132 alpha version is not installed, and the update stays within the stable minor release 1.131.x. But as soon as it is set, it installs alpha versions.

This is an issue I've mentioned in the comments here: https://github.com/pnpm/pnpm/issues/9963, but assumed it is part of the other bug.

### Expected Behavior

Install the latest stable (non alpha/beta/rc) release if available considering minimumReleaseAge, or skip the update - ideally with a message - if none is available.

Ideally, don't increase the SEMVER range (in the example, instead of updating 1.131.41 to 1.131.44, 1.132.0-alpha is installed, without 1.132 being shown in the interactive update)

### Which Node.js version are you using?

24.7.0

### Which operating systems have you used?

- [ ] macOS
- [ ] Windows
- [x] Linux

### If your OS is a Linux based, which one it is? (Include the version if relevant)

Arch

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Interactive Update pulls in Alpha / Beta versions if minimumReleaseVersion is set #9979

Verify latest release

pnpm version

Which area(s) of pnpm are affected? (leave empty if unsure)

Link to the code that reproduces this issue or a replay of the bug

Reproduction steps

Describe the Bug

Expected Behavior

Which Node.js version are you using?

Which operating systems have you used?

If your OS is a Linux based, which one it is? (Include the version if relevant)

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Interactive Update pulls in Alpha / Beta versions if minimumReleaseVersion is set #9979

Description

Verify latest release

pnpm version

Which area(s) of pnpm are affected? (leave empty if unsure)

Link to the code that reproduces this issue or a replay of the bug

Reproduction steps

Describe the Bug

Expected Behavior

Which Node.js version are you using?

Which operating systems have you used?

If your OS is a Linux based, which one it is? (Include the version if relevant)

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions