feat: add Minimum Release Age options

Author: chrisbbreuer

bun.lock

@@ -15,7 +15,7 @@
         "@stacksjs/docs": "^0.70.23",
         "@stacksjs/eslint-config": "^4.14.0-beta.3",
         "@stacksjs/gitlint": "^0.1.5",
-        "@types/bun": "^1.2.21",
+        "@types/bun": "^1.2.22",
         "bun-git-hooks": "^0.2.19",
         "bun-plugin-dtsx": "0.9.5",
         "typescript": "^5.9.2",
@@ -500,7 +500,7 @@
 
     "@sindresorhus/is": ["@sindresorhus/[email protected]", "", {}, "sha512-t09vSN3MdfsyCHoFcTRCH/iUtG7OJ0CsjzB8cjAmKc/va/kIgeDI/TxsigdncE/4be734m0cvIYwNaV4i2XqAw=="],
 
-    "@stacksjs/bumpx": ["@stacksjs/[email protected].78", "", { "dependencies": { "@stacksjs/clapp": "^0.1.16", "@stacksjs/logsmith": "^0.1.15", "bunfig": "^0.14.1" }, "bin": { "bumpx": "dist/bin/cli.js" } }, "sha512-lLPd3vQSk3H6s60s7TtJiopmykVCJ0ZSU2C5zRPaHDbdL7XZv1+PBCPOMDxfO04xOZsX3NmCZumHz511kVqFqg=="],
+    "@stacksjs/bumpx": ["@stacksjs/[email protected].84", "", { "dependencies": { "@stacksjs/clapp": "^0.1.16", "@stacksjs/logsmith": "^0.1.15", "bunfig": "^0.14.1" }, "bin": { "bumpx": "dist/bin/cli.js" } }, "sha512-Mniy85XvWhjbQ94UwGo0781ERlCqZDQ5w9Lj1Qgd1T21tK+MTRaCDTYeyrmkz/Xqvn97TJmBSxRg07VkS4Z8VA=="],
 
     "@stacksjs/clapp": ["@stacksjs/[email protected]", "", { "bin": { "clapp": "dist/bin/cli.js", "@stacksjs/clapp": "dist/bin/cli.js" } }, "sha512-BDmYu9Rk/HHIVc4vQjgQO6MzXNMJvPG6ZGiiEAPQT8EAidx3/6S6O7kyY2UdfJSksiCd5SKFK+WYd1uAs88BrQ=="],
 
@@ -532,7 +532,7 @@
 
     "@tybys/wasm-util": ["@tybys/[email protected]", "", { "dependencies": { "tslib": "^2.4.0" } }, "sha512-VyyPYFlOMNylG45GoAe0xDoLwWuowvf92F9kySqzYh8vmYm7D2u4iUJKa1tOUpS70Ku13ASrOkS4ScXFsTaCNQ=="],
 
-    "@types/bun": ["@types/[email protected].21", "", { "dependencies": { "bun-types": "1.2.21" } }, "sha512-NiDnvEqmbfQ6dmZ3EeUO577s4P5bf4HCTXtI6trMc6f6RzirY5IrF3aIookuSpyslFzrnvv2lmEWv5HyC1X79A=="],
+    "@types/bun": ["@types/[email protected].22", "", { "dependencies": { "bun-types": "1.2.22" } }, "sha512-5A/KrKos2ZcN0c6ljRSOa1fYIyCKhZfIVYeuyb4snnvomnpFqC0tTsEkdqNxbAgExV384OETQ//WAjl3XbYqQA=="],
 
     "@types/cacheable-request": ["@types/[email protected]", "", { "dependencies": { "@types/http-cache-semantics": "*", "@types/keyv": "^3.1.4", "@types/node": "*", "@types/responselike": "^1.0.0" } }, "sha512-IQ3EbTzGxIigb1I3qPZc1rWJnH0BmSKv5QYTalEwweFvyBDLSAe24zP0le/hyi7ecGfZVlIVAg4BZqb8WBwKqw=="],
 
@@ -802,7 +802,7 @@
 
     "bun-plugin-dtsx": ["[email protected]", "", { "dependencies": { "@stacksjs/dtsx": "0.9.4" } }, "sha512-PMGr8kna2C7rbN5NFKW+nqj8TyXjs05Yh2QM7Xjp9PN1/cJMyZML3JJAJT0Ne/6eOYCcubmLM91r+Rix/cqn8Q=="],
 
-    "bun-types": ["[email protected].21", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-sa2Tj77Ijc/NTLS0/Odjq/qngmEPZfbfnOERi0KRUYhT9R8M4VBioWVmMWE5GrYbKMc+5lVybXygLdibHaqVqw=="],
+    "bun-types": ["[email protected].22", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-hwaAu8tct/Zn6Zft4U9BsZcXkYomzpHJX28ofvx7k0Zz2HNz54n1n+tDgxoWFGB4PcFvJXJQloPhaV2eP3Q6EA=="],
 
     "bunfig": ["[email protected]", "", { "bin": { "bunfig": "bin/cli.js" } }, "sha512-KxblKbteHmlDgbEv6L9AYghcU+6mpoJhbmNa1cbfn1LuS99+1UGAcTG1u4u4zcjT4JHVff5cblSKjZmOw5+I7w=="],
 

package.json

@@ -66,11 +66,11 @@
     "ts-pkgx": "0.4.52"
   },
   "devDependencies": {
-    "@stacksjs/bumpx": "^0.1.78",
+    "@stacksjs/bumpx": "^0.1.84",
     "@stacksjs/docs": "^0.70.23",
     "@stacksjs/eslint-config": "^4.14.0-beta.3",
     "@stacksjs/gitlint": "^0.1.5",
-    "@types/bun": "^1.2.21",
+    "@types/bun": "^1.2.22",
     "bun-git-hooks": "^0.2.19",
     "bun-plugin-dtsx": "0.9.5",
     "typescript": "^5.9.2"

src/buddy.ts

@@ -82,6 +82,9 @@ export class Buddy {
         updates = this.filterUpdatesByStrategy(updates, this.config.packages.strategy)
       }
 
+      // Apply minimum release age filtering
+      updates = await this.filterUpdatesByMinimumReleaseAge(updates)
+
       // Sort updates by priority
       updates = sortUpdatesByPriority(updates)
 
@@ -945,6 +948,49 @@ export class Buddy {
     })
   }
 
+  /**
+   * Filter updates by minimum release age requirement
+   */
+  private async filterUpdatesByMinimumReleaseAge(updates: PackageUpdate[]): Promise<PackageUpdate[]> {
+    const minimumReleaseAge = this.config.packages?.minimumReleaseAge ?? 0
+    
+    // If no minimum age is set, return all updates
+    if (minimumReleaseAge === 0) {
+      return updates
+    }
+
+    this.logger.info(`Applying minimum release age filter (${minimumReleaseAge} minutes)...`)
+    
+    const filteredUpdates: PackageUpdate[] = []
+    
+    for (const update of updates) {
+      try {
+        const meetsRequirement = await this.registryClient.meetsMinimumReleaseAge(
+          update.name, 
+          update.newVersion, 
+          update.dependencyType
+        )
+        
+        if (meetsRequirement) {
+          filteredUpdates.push(update)
+        } else {
+          this.logger.debug(`Filtered out ${update.name}@${update.newVersion} (${update.dependencyType}) due to minimum release age requirement`)
+        }
+      } catch (error) {
+        // If there's an error checking the release age, be conservative and include the update
+        this.logger.warn(`Error checking release age for ${update.name}@${update.newVersion} (${update.dependencyType}), including update:`, error)
+        filteredUpdates.push(update)
+      }
+    }
+
+    const filteredCount = updates.length - filteredUpdates.length
+    if (filteredCount > 0) {
+      this.logger.info(`Filtered out ${filteredCount} updates due to minimum release age requirement`)
+    }
+
+    return filteredUpdates
+  }
+
   /**
    * Group updates based on configuration
    */
@@ -978,6 +1024,9 @@ export class Buddy {
             filteredUpdates = this.filterUpdatesByStrategy(groupUpdates, groupConfig.strategy)
           }
 
+          // Note: Minimum release age filtering is already applied globally before grouping,
+          // so we don't need to apply it again here
+
           groups.push({
             name: groupConfig.name,
             updates: filteredUpdates,

src/config.ts

@@ -32,6 +32,8 @@ export const defaultConfig: BuddyBotConfig = {
     includePrerelease: false,
     excludeMajor: false,
     respectLatest: true,
+    minimumReleaseAge: 0,
+    minimumReleaseAgeExclude: [],
   },
 }
 

src/registry/registry-client.ts

@@ -1314,6 +1314,175 @@ export class RegistryClient {
     return null
   }
 
+  /**
+   * Get the release date of a specific package version from registry
+   */
+  async getPackageVersionReleaseDate(packageName: string, version: string): Promise<Date | null> {
+    try {
+      // First try using bun info to get package metadata
+      const result = await this.runCommand('bun', ['info', `${packageName}@${version}`, '--json'])
+      const data = JSON.parse(result)
+      
+      // Check if the package data has time information
+      if (data.time && typeof data.time === 'string') {
+        return new Date(data.time)
+      }
+      
+      // If bun doesn't provide time info, fall back to npm registry API
+      if (!data.time) {
+        try {
+          const npmResult = await this.runCommand('npm', ['view', `${packageName}@${version}`, 'time', '--json'])
+          const timeData = JSON.parse(npmResult)
+          
+          if (timeData && typeof timeData === 'string') {
+            return new Date(timeData)
+          }
+        }
+        catch (npmError) {
+          this.logger.debug(`npm fallback failed for ${packageName}@${version}:`, npmError)
+        }
+      }
+      
+      return null
+    }
+    catch (error) {
+      this.logger.debug(`Failed to get release date for ${packageName}@${version}:`, error)
+      return null
+    }
+  }
+
+  /**
+   * Get the release date for GitHub Actions
+   */
+  async getGitHubActionReleaseDate(actionName: string, version: string): Promise<Date | null> {
+    try {
+      // GitHub Actions use GitHub releases API
+      // Format: owner/repo@version
+      const [owner, repo] = actionName.split('/')
+      if (!owner || !repo) {
+        return null
+      }
+
+      // Use GitHub API to get release information
+      const apiUrl = `https://api.github.com/repos/${owner}/${repo}/releases/tags/${version}`
+      
+      // Use curl to fetch the release data
+      const result = await this.runCommand('curl', ['-s', '-H', 'Accept: application/vnd.github.v3+json', apiUrl])
+      const releaseData = JSON.parse(result)
+      
+      if (releaseData.published_at) {
+        return new Date(releaseData.published_at)
+      }
+      
+      return null
+    }
+    catch (error) {
+      this.logger.debug(`Failed to get GitHub Action release date for ${actionName}@${version}:`, error)
+      return null
+    }
+  }
+
+  /**
+   * Get the release date for Composer packages
+   */
+  async getComposerPackageReleaseDate(packageName: string, version: string): Promise<Date | null> {
+    try {
+      // Use Packagist API for Composer packages
+      const apiUrl = `https://packagist.org/packages/${packageName}.json`
+      
+      const result = await this.runCommand('curl', ['-s', apiUrl])
+      const packageData = JSON.parse(result)
+      
+      if (packageData.package && packageData.package.versions && packageData.package.versions[version]) {
+        const versionData = packageData.package.versions[version]
+        if (versionData.time) {
+          return new Date(versionData.time)
+        }
+      }
+      
+      return null
+    }
+    catch (error) {
+      this.logger.debug(`Failed to get Composer package release date for ${packageName}@${version}:`, error)
+      return null
+    }
+  }
+
+  /**
+   * Get the release date for Docker images
+   */
+  async getDockerImageReleaseDate(imageName: string, version: string): Promise<Date | null> {
+    try {
+      // For Docker Hub images, we can use the Docker Hub API
+      // This is more complex as it requires authentication for some images
+      // For now, we'll be conservative and allow Docker image updates
+      this.logger.debug(`Docker image release date checking not fully implemented for ${imageName}:${version}`)
+      return null
+    }
+    catch (error) {
+      this.logger.debug(`Failed to get Docker image release date for ${imageName}:${version}:`, error)
+      return null
+    }
+  }
+
+  /**
+   * Check if a package version meets the minimum release age requirement
+   */
+  async meetsMinimumReleaseAge(packageName: string, version: string, dependencyType?: string): Promise<boolean> {
+    const minimumReleaseAge = this.config?.packages?.minimumReleaseAge ?? 0
+    const excludeList = this.config?.packages?.minimumReleaseAgeExclude ?? []
+
+    // If no minimum age is set, allow all packages
+    if (minimumReleaseAge === 0) {
+      return true
+    }
+
+    // If package is in exclude list, allow it immediately
+    if (excludeList.includes(packageName)) {
+      this.logger.debug(`Package ${packageName} is excluded from minimum release age requirement`)
+      return true
+    }
+
+    // Get the release date based on dependency type
+    let releaseDate: Date | null = null
+    
+    switch (dependencyType) {
+      case 'github-actions':
+        releaseDate = await this.getGitHubActionReleaseDate(packageName, version)
+        break
+      case 'require':
+      case 'require-dev':
+        releaseDate = await this.getComposerPackageReleaseDate(packageName, version)
+        break
+      case 'docker-image':
+        releaseDate = await this.getDockerImageReleaseDate(packageName, version)
+        break
+      default:
+        // For npm/bun packages (dependencies, devDependencies, etc.)
+        releaseDate = await this.getPackageVersionReleaseDate(packageName, version)
+        break
+    }
+    
+    if (!releaseDate) {
+      // If we can't get the release date, be conservative and allow the update
+      // This prevents blocking updates when registry data is unavailable
+      this.logger.warn(`Could not determine release date for ${packageName}@${version} (${dependencyType || 'unknown type'}), allowing update`)
+      return true
+    }
+
+    // Calculate age in minutes
+    const now = new Date()
+    const ageInMinutes = (now.getTime() - releaseDate.getTime()) / (1000 * 60)
+
+    const meetsRequirement = ageInMinutes >= minimumReleaseAge
+    
+    if (!meetsRequirement) {
+      this.logger.info(`Package ${packageName}@${version} (${dependencyType || 'unknown type'}) is too new (${Math.round(ageInMinutes)} minutes old, minimum: ${minimumReleaseAge} minutes)`)
+    }
+
+    return meetsRequirement
+  }
+
   /**
    * Run bun outdated for a specific workspace
    */

src/types.ts

@@ -43,6 +43,10 @@ export interface BuddyBotConfig {
     excludeMajor?: boolean
     /** Respect "latest" and "*" version indicators (default: true) */
     respectLatest?: boolean
+    /** Minimum age in minutes that a package version must have before installation (default: 0) */
+    minimumReleaseAge?: number
+    /** Package names to exclude from minimum release age requirement */
+    minimumReleaseAgeExclude?: string[]
   }
 
   /** PR generation settings */