[npm] minimumReleaseAge Doesn't Work with rangeStrategy bump on Lock File

[CHC383]

What would you like help with?

I think I found a bug

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

Bitbucket, 38.44.3

Please tell us more about your question or problem

In my npm repository, I have rangeStrategy set to bump and minimumReleaseAge set to 7 days, I also have npmDedupe in the postUpdateOptions. When renovate was run, the package.json was updated as expected, i.e. it will bump to the version that meets the minimumReleaseAge, however, the package-lock.json would be updated to the latest version. The behavior of the package-lock.json does meet the semVer in package.json, but it doesn't meet the minimumReleaseAge limit.

Config:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  enabledManagers: ["npm"],
  schedule: ["before 6am on Saturday"],
  extends: [
    "config:recommended",
    ":maintainLockFilesMonthly",
    "workarounds:typesNodeVersioning",
    "group:allNonMajor",
    ":semanticCommitTypeAll(build)",
  ],
  rangeStrategy: "bump",
  postUpdateOptions: ["npmDedupe"],
  minimumReleaseAge: "7 days",
  prHourlyLimit: 0,
  packageRules: [
    {
      description: "Don't bump engines field in package.json",
      matchManagers: ["npm"],
      matchDepTypes: ["engines"],
      rangeStrategy: "auto",
    },
  ],
}

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[rarkins]

If you want an exact version in the lock file then you'll need to pin the version in package.json. This is not a bug, but please feel free to improve the docs to clarify the limitation

[github-actions[bot]]

Hi there,

A maintainer decided this is not a bug, and behaving as designed. The maintainer will explain why this behavior is correct. To avoid confusing future readers, we will close this Discussion.

We want Bug-type Discussions to be about things that we rate as bugs. For more details, please read our development docs about bug handling.

If this bug report makes you think of an idea for a new feature, or how to improve a current feature, feel free to create a new Suggest an Idea Discussion.

Thanks, the Renovate team