From e58870ef6ee2b85d4899402d3325eb7f0fa9f5ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Zori=C4=87?= Date: Thu, 4 Jun 2026 12:33:58 +0200 Subject: [PATCH 1/2] docs: clarify that stricter age gates may block Webiny upgrades on release day Webiny validates releases against a 3d age gate, so users with a stricter gate (e.g. 7d) may see installation failures for third-party dependencies that are older than 3 days but younger than their custom threshold. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../6.x/infrastructure/yarnrc-security.mdx | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx b/docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx index 1d0af2023..e1fea45e0 100644 --- a/docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx +++ b/docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx @@ -115,6 +115,16 @@ npmMinimalAgeGate: 1d A longer duration provides more protection but delays access to new releases. A shorter duration gives faster access but reduces the window for malicious packages to be caught. + + +Webiny validates every release against a `3d` age gate. This means all third-party dependencies included in a Webiny release are guaranteed to be at least three days old at the time of release - but not necessarily older than that. + +If you set a stricter age gate (for example `7d`) and install a new Webiny version on release day, Yarn may reject third-party dependencies that Webiny relies on because they are older than three days but younger than seven days. The `npmPreapprovedPackages` list only exempts `@webiny/*` packages - it does not cover the third-party packages that Webiny depends on. + +To avoid this, either keep the default `3d` value, or wait the difference between your age gate and `3d` after a Webiny release before upgrading. For example, with `7d`, wait four days after the release. + + + ## Approved Git Repositories ```yaml .yarnrc.yml @@ -146,6 +156,12 @@ The age gate blocked a package version. You have three options: - **Preapprove** - add the package to `npmPreapprovedPackages` if you trust the publisher - **Lower the gate** - reduce `npmMinimalAgeGate` (not recommended unless you understand the risk) + + +If this error appears immediately after upgrading to a new Webiny version, your age gate is likely stricter than the `3d` default that Webiny uses. Third-party dependencies in the release may not yet meet your gate. Either wait for the packages to age past your threshold, or lower your age gate to `3d` to match Webiny's release process. + + + ### "Lifecycle scripts are disabled" A package tried to run a script during installation but `enableScripts: false` blocked it. If the package needs scripts to function correctly, allow them for that specific package rather than enabling scripts globally. From c506c1c11cce8ab4a92767f3e1d5d5c29d549afa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Zori=C4=87?= Date: Thu, 4 Jun 2026 12:34:49 +0200 Subject: [PATCH 2/2] =?UTF-8?q?docs:=20fix=20age=20gate=20wording=20?= =?UTF-8?q?=E2=80=94=20Yarn=20will=20reject,=20not=20may=20reject?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx b/docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx index e1fea45e0..92019cd3d 100644 --- a/docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx +++ b/docs/developer-docs/6.x/infrastructure/yarnrc-security.mdx @@ -119,7 +119,7 @@ A longer duration provides more protection but delays access to new releases. A Webiny validates every release against a `3d` age gate. This means all third-party dependencies included in a Webiny release are guaranteed to be at least three days old at the time of release - but not necessarily older than that. -If you set a stricter age gate (for example `7d`) and install a new Webiny version on release day, Yarn may reject third-party dependencies that Webiny relies on because they are older than three days but younger than seven days. The `npmPreapprovedPackages` list only exempts `@webiny/*` packages - it does not cover the third-party packages that Webiny depends on. +If you set a stricter age gate (for example `7d`) and install a new Webiny version on release day, Yarn will reject any third-party dependency that Webiny relies on if it was published less than seven days ago. The `npmPreapprovedPackages` list only exempts `@webiny/*` packages - it does not cover the third-party packages that Webiny depends on. To avoid this, either keep the default `3d` value, or wait the difference between your age gate and `3d` after a Webiny release before upgrading. For example, with `7d`, wait four days after the release.