Is there an existing issue for this?
Package ecosystem
npm
Package manager version
11.10.0
Language version
v24.15.0
Manifest location and content before the Dependabot update
This is a private repo, but I think a minimal repo set would be a setup with an .npmrc set to be engine-strict=true & an engine field in a package.json set to be greater than the one available at the moment, e.g. "engines": { "npm": ">=11.10.0" },.
dependabot.yml content
No clue lmao.
Updated dependency
Was an attempt at updating fast-uri from 3.1.0 to 3.1.2.
What you expected to see, versus what you actually saw
So this is what I saw:
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Dependencies failed to update |
+------------+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Dependency | Error Type | Error Details |
+------------+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
| fast-uri | dependency_file_not_resolvable | { |
| | | "message": "Dependabot uses Node.js v24.15.0 and NPM 11.12.1. Due to the engine-strict setting, the update will not succeed." |
| | | } |
+------------+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
but then above, in the full trace, there's a more information:
2026/05/09 05:03:57 INFO <job_1357410265> Started process PID: 1670 with command: {} git clean -fx {}
updater | 2026/05/09 05:03:57 INFO <job_1357410265> Process PID: 1670 completed with status: pid 1670 exit 0
updater | 2026/05/09 05:03:57 INFO <job_1357410265> Total execution time: 0.06 seconds
updater | 2026/05/09 05:03:57 INFO <job_1357410265> Started process PID: 1750 with command: {} corepack npm update fast-uri --force --ignore-scripts --package-lock-only {}
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Process PID: 1750 completed with status: pid 1750 exit 1
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Total execution time: 0.64 seconds
updater | 2026/05/09 05:03:58 ERROR <job_1357410265> Error running package manager command: corepack npm update fast-uri --force --ignore-scripts --package-lock-only, Error: npm warn Unknown project config "min-release-age". This will stop working in the next major version of npm.
npm warn using --force Recommended protections disabled.
npm error code EBADENGINE
npm error engine Unsupported engine
npm error engine Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Not compatible with your version of node/npm: internal-project-nameinternal-project-name@1.0.0
npm error notsup Required: {"npm":">=11.10.0"}
npm error notsup Actual: {"node":"v24.15.0","npm":"11.8.0"}
npm error A complete log of this run can be found in: /home/dependabot/.npm/_logs/2026-05-09T05_03_57_658Z-debug-0.log
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Requirements to unlock all
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Requirements update strategy bump_versions
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Updating fast-uri from 3.1.0 to 3.1.2
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Started process PID: 1839 with command: {} corepack npm update fast-uri --force --ignore-scripts --package-lock-only {}
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Process PID: 1839 completed with status: pid 1839 exit 1
updater | 2026/05/09 05:03:58 INFO <job_1357410265> Total execution time: 0.63 seconds
2026/05/09 05:03:58 ERROR <job_1357410265> Error running package manager command: corepack npm update fast-uri --force --ignore-scripts --package-lock-only, Error: npm warn Unknown project config "min-release-age". This will stop working in the next major version of npm.
npm warn using --force Recommended protections disabled.
npm error code EBADENGINE
npm error engine Unsupported engine
npm error engine Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Required: {"npm":">=11.10.0"}
npm error notsup Actual: {"node":"v24.15.0","npm":"11.8.0"}
npm error A complete log of this run can be found in: /home/dependabot/.npm/_logs/2026-05-09T05_03_58_403Z-debug-0.log
updater | 2026/05/09 05:03:58 WARN <job_1357410265> NPM : npm warn Unknown project config "min-release-age". This will stop working in the next major version of npm.
npm warn using --force Recommended protections disabled.
npm error code EBADENGINE
npm error engine Unsupported engine
npm error engine Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Not compatible with your version of node/npm: internal-project-name@1.0.0
npm error notsup Required: {"npm":">=11.10.0"}
npm error notsup Actual: {"node":"v24.15.0","npm":"11.8.0"}
npm error A complete log of this run can be found in: /home/dependabot/.npm/_logs/2026-05-09T05_03_58_403Z-debug-0.log
proxy | 2026/05/09 05:03:59 [026] POST /update_jobs/1357410265/record_update_job_error
proxy | 2026/05/09 05:03:59 [026] 204 /update_jobs/1357410265/record_update_job_error
updater | 2026/05/09 05:03:59 INFO <job_1357410265> Handled error whilst updating fast-uri: dependency_file_not_resolvable {message: "Dependabot uses Node.js v24.15.0 and NPM 11.12.1. Due to the engine-strict setting, the update will not succeed."}
proxy | 2026/05/09 05:03:59 [028] POST /update_jobs/1357410265/record_ecosystem_meta
proxy | 2026/05/09 05:03:59 [028] 204 /update_jobs/1357410265/record_ecosystem_meta
proxy | 2026/05/09 05:03:59 [030] PATCH /update_jobs/1357410265/mark_as_processed
proxy | 2026/05/09 05:03:59 [030] 204 /update_jobs/1357410265/mark_as_processed
updater | 2026/05/09 05:03:59 INFO <job_1357410265> Finished job processing
updater | 2026/05/09 05:03:59 INFO Results:
Of course, after a couple minutes of reading, I saw the two versions are clearly different, so it's likely that the error re-writing block inside is a little bit wonky with respect to the npm version it prints out:
if error_message.include?("EBADENGINE")
msg = "Dependabot uses Node.js #{`node --version`.strip} and NPM #{`npm --version`.strip}. " \
"Due to the engine-strict setting, the update will not succeed."
raise Dependabot::DependencyFileNotResolvable, msg
end
The reason for the restriction to this freshest version is the enforcement of the use of the new min-release-age, which came out in npm v11.10.0, to prevent 0-day package hijacking when running npm install on development setups.
Native package manager behavior
It would refuse to do anything, when this engine restriction is in place, as depdenabot cleanly replicates.
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
I have no clue what this is. Can read up on this if needed?
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
11.10.0
Language version
v24.15.0
Manifest location and content before the Dependabot update
This is a private repo, but I think a minimal repo set would be a setup with an
.npmrcset to beengine-strict=true& an engine field in a package.json set to be greater than the one available at the moment, e.g."engines": { "npm": ">=11.10.0" },.dependabot.yml content
No clue lmao.
Updated dependency
Was an attempt at updating fast-uri from 3.1.0 to 3.1.2.
What you expected to see, versus what you actually saw
So this is what I saw:
but then above, in the full trace, there's a more information:
Of course, after a couple minutes of reading, I saw the two versions are clearly different, so it's likely that the error re-writing block inside is a little bit wonky with respect to the npm version it prints out:
The reason for the restriction to this freshest version is the enforcement of the use of the new
min-release-age, which came out in npm v11.10.0, to prevent 0-day package hijacking when runningnpm installon development setups.Native package manager behavior
It would refuse to do anything, when this engine restriction is in place, as depdenabot cleanly replicates.
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
I have no clue what this is. Can read up on this if needed?