min-release-age=3

When using ProGet as the npm registry, I encountered an issue where packages that were actually published several days ago are treated as if they were published just moments ago.

Steps to reproduce:

Configure npm with:

min-release-age=3
Use ProGet as the npm registry with connector to public npm registry with cache package enabled.

Attempt to install a package that was published more than 3 days ago, e.g.:

npm install --save vite-plugin-svgr@5.2.0

Observed behavior:

The installation fails with:

npm ERR! code ETARGET
npm ERR! notarget No matching version found for vite-plugin-svgr@5.2.0 with a date before <date/time according to min-release-age>.

Running:

npm view vite-plugin-svgr

shows that ProGet reports:

published XX minutes ago

Additionally, in the ProGet UI, the published date matches the cache date, which appears to be incorrect.

Actual package information:
The package vite-plugin-svgr@5.2.0 was published to the public npm registry approximately 7 days ago.

Problem:

ProGet seems to overwrite or ignore the original published timestamp from the upstream npm registry and instead uses the cache/import timestamp.

This behavior breaks compatibility with npm’s min-release-age security feature, making it ineffective when ProGet is used as a proxy.

Expected behavior:

ProGet should preserve the original published date from the upstream npm registry.
The cache/import date must not replace or be treated as the package publish date.

Impact:

This issue makes it impossible to reliably enforce security policies such as min-release-age, which are critical for mitigating risks from newly published (and potentially malicious) packages.

If you navigate to Admin > Advanced Settings and check "Use Connector Publish Date", then this will behave as you expect. Note that you will need to delete already-cached packages.

This will be default behavior in ProGet 2026+

Cheers,
Alana