install: accept ms-style duration strings for minimumReleaseAge

[robobun]

What

bun install's minimum-release-age filter now accepts an ms-style duration string in addition to a bare number of seconds, for both the --minimum-release-age CLI flag and the [install].minimumReleaseAge bunfig key:

bun add @types/bun --minimum-release-age 3d     # or "1 week", "48h", ...
bun add @types/bun --minimum-release-age 259200 # still works (seconds)

[install]
minimumReleaseAge = "3d"   # or 259200 (seconds)

How

• bun_core::parse_ms() — an npm ms-style parser (y/w/d/h/m/s/ms, case-insensitive, long and short spellings), re-exported from bun_core.
• CLI flag + bunfig EString branch: parse as seconds first (parse_f64), then fall back to parse_ms. A bare number (quoted or unquoted) stays seconds for back-compat; inputs are trimmed before parsing so "259200 " isn't read as milliseconds. Non-finite / negative values are rejected. 0 disables the filter.

Stacked follow-up

The gated 2-day-default-for-new-projects change (configVersion V2, behind a 1.4 feature flag) is split out into #31608, stacked on this PR.

Verification

test/cli/install/minimum-release-age.test.ts — 54 pass / 0 fail on debug+ASAN, including the new duration-string cases (CLI + bunfig, with/without spaces, bare-number-is-seconds, invalid-string rejection).

[robobun]

^{Updated 7:04 PM PT - Jun 3rd, 2026}

❌ @robobun, your commit fa4b4b2 has 1 failures in Build #60209 (All Failures):

• test/cli/install/bunx.test.ts - code 1 on 🐧 13 x64-asan
• test/cli/install/bunx.test.ts - code 1 on 🪟 2019 x64-baseline
• test/cli/install/bunx.test.ts - code 1 on 🪟 2019 x64
• test/cli/install/bunx.test.ts - code 1 on 🍎 14 x64
• test/cli/install/bunx.test.ts - code 1 on 🐧 25.04 x64-baseline
• test/cli/install/bunx.test.ts - code 1 on 🐧 13 x64-baseline
• test/cli/install/bunx.test.ts - code 1 on 🐧 25.04 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🪟 11 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🐧 13 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🐧 25.04 x64
• test/cli/install/bunx.test.ts - code 1 on 🐧 13 x64
• test/cli/install/bunx.test.ts - code 1 on 🐧 3.23 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🐧 3.23 x64
• test/cli/install/bunx.test.ts - code 1 on 🍎 26 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🐧 3.23 x64-baseline
• test/cli/install/bunx.test.ts - code 1 on 🍎 14 aarch64

---

🧪   To try this PR locally:

bunx bun-pr 30529

That installs a local version of the PR into your bun-30529 executable, so you can run:

bun-30529 --bun

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updates docs and adds tests for Bun's minimum release age: CLI and bunfig accept ms-style duration strings or seconds, 0 disables the filter, and configVersion-dependent defaults (new projects may default to 2 days) are covered by tests including feature-flag and existing-lockfile paths.

Changes

Minimum Release Age Feature Documentation and Tests

Layer / File(s)	Summary
Duration String Parsing Tests test/cli/install/minimum-release-age.test.ts	Tests verify that --minimum-release-age CLI flag and bunfig.toml's minimumReleaseAge accept ms-style duration strings ("5d", "1 week"), apply filtering correctly, and reject invalid values.
ConfigVersion V2 Defaults and Feature Flag Tests test/cli/install/minimum-release-age.test.ts	Tests verify that new projects receive a 2-day default and configVersion: 2 in gated scenarios, that existing configVersion: 1 lockfiles remain unaffected, that minimumReleaseAge = 0 disables the default, that existing configVersion: 2 lockfiles apply the default without the flag, and that the feature-flag-off path preserves legacy behavior.
CLI Documentation Updates docs/pm/cli/install.mdx	Documents minimum release age behavior, configVersion-based defaults (2 days for new projects in Bun 1.4+, disabled for existing), support for ms-style duration strings or numeric seconds, 0 to disable, and updates CLI examples.
Runtime Configuration Documentation docs/runtime/bunfig.mdx	Documents the [install] minimumReleaseAge option accepting numeric seconds or ms-style duration strings, explains configVersion-dependent defaults, and updates the TOML example (uses "3d" with an alternative numeric-seconds comment).

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately summarizes the main change: accepting ms-style duration strings for minimumReleaseAge in bun install.
Description check	✅ Passed	The PR description provides comprehensive detail on both 'What' (feature overview with examples) and 'How' (implementation details and parsing logic), exceeding the template requirements with verification details.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/cli/bunfig.zig`:
- Around line 799-801: Update the error text in the branch that checks `ms < 0`
so it reflects that zero is allowed: replace the message passed to
`this.addError(min_age.loc, ...)` (currently "Expected a positive duration for
minimumReleaseAge") with wording like "Expected a non-negative duration for
minimumReleaseAge" or "Expected a non-negative duration for minimumReleaseAge (0
disables the filter)"; this change should be made in the `ms < 0` branch where
`this.addError(min_age.loc, ...)` is called to avoid implying that 0 is invalid.

In `@src/install/PackageManager/CommandLineArguments.zig`:
- Around line 846-851: The error messages for parsing --minimum-release-age
currently say "positive" but the code accepts 0; update both Output.errGeneric
calls that reference min_age (the ones guarding ms and the parse branch that
calls Global.crash) to use "non-negative" instead of "positive" so the CLI
wording matches the actual behavior for variable min_age and ms.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 40fb564d-0f6b-4b39-b64f-3cbdf3dbce67

📥 Commits

Reviewing files that changed from the base of the PR and between 37bfbed and 691ee7e.

⛔ Files ignored due to path filters (7)

• test/cli/install/__snapshots__/bun-install-registry.test.ts.snap is excluded by !**/*.snap
• test/cli/install/__snapshots__/bun-lock.test.ts.snap is excluded by !**/*.snap
• test/cli/install/__snapshots__/catalogs.test.ts.snap is excluded by !**/*.snap
• test/cli/install/migration/__snapshots__/pnpm-comprehensive.test.ts.snap is excluded by !**/*.snap
• test/cli/install/migration/__snapshots__/pnpm-lock-migration.test.ts.snap is excluded by !**/*.snap
• test/cli/install/migration/__snapshots__/pnpm-migration-complete.test.ts.snap is excluded by !**/*.snap
• test/cli/install/migration/__snapshots__/yarn-lock-migration.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (18)

• docs/pm/cli/install.mdx
• docs/runtime/bunfig.mdx
• src/bun_core/fmt.zig
• src/cli/bunfig.zig
• src/cli/outdated_command.zig
• src/cli/update_interactive_command.zig
• src/install/ConfigVersion.zig
• src/install/PackageManager.zig
• src/install/PackageManager/CommandLineArguments.zig
• src/install/PackageManager/PackageManagerOptions.zig
• src/install/PackageManager/install_with_manager.zig
• test/cli/install/bun-add.test.ts
• test/cli/install/bun-install-security-provider.test.ts
• test/cli/install/bun-install.test.ts
• test/cli/install/bun-workspaces.test.ts
• test/cli/install/config-version.test.ts
• test/cli/install/dummy.registry.ts
• test/cli/install/minimum-release-age.test.ts

[github-actions]

This PR may be a duplicate of:

1. feat: set default minimumReleaseAge to 3 days (259200s) #28729 - Also sets a default minimumReleaseAge for new projects (3 days vs 2 days in this PR)

🤖 Generated with Claude Code

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/cli/install/minimum-release-age.test.ts`:
- Around line 1328-1338: The spawn-based install test currently only awaits
proc.stderr and proc.exited and asserts exitCode and stderr; update the early
guard to also capture stdout and assert both exitCode and stdout together (e.g.,
await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]) and use
expect({ stdout, exitCode }).toMatchObject({ exitCode: 0 })) before any lockfile
or file reads so failures include stdout for clearer diffs; apply the same
change to the other similar spawn blocks referenced in this file (the ones
around lines ~1354, ~1404, ~1455, ~1495, ~1523, ~1559, ~1588) that use Bun.spawn
with proc, stdout/stderr handling.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f8b2fe2c-b104-4d6d-b4b0-991b24aa52e4

📥 Commits

Reviewing files that changed from the base of the PR and between 691ee7e and f38bd23.

📒 Files selected for processing (8)

• docs/pm/cli/install.mdx
• docs/runtime/bunfig.mdx
• src/bun_core/env_var.zig
• src/cli/bunfig.zig
• src/install/ConfigVersion.zig
• src/install/PackageManager.zig
• src/install/PackageManager/CommandLineArguments.zig
• test/cli/install/minimum-release-age.test.ts

[robobun]

Status

ms-style duration strings for minimumReleaseAge (base main), rebased onto current main at fa4b4b2 (one trivial conflict with #31746's TODO-comment cleanup). test/cli/install/minimum-release-age.test.ts passes 55/55 on debug+ASAN; release + debug build clean.

• Both --minimum-release-age and [install].minimumReleaseAge take an ms-style string ("2d", "1 week", "48h") or a bare number of seconds (back-compat). 0 disables (treated as "disabled" at the manifest-fetch gates + version filter, so it never forces extended manifests).

The Bun.ms follow-up is #31613 (stacked on this). The 2-day-default PR (#31608) was closed per maintainer decision.

CI

The red lane on build 60209 (debian-13-x64-asan) is test/cli/install/bunx.test.ts → "should handle package that requires node 24", which runs live bunx @angular/cli@latest against the real npm registry and now exits 3. It fails identically on plain main (bf70cc79c4) with no changes from this PR — a tree-wide breakage from the external @angular/cli@latest publish, not this diff (which doesn't touch bunx; its gates are no-ops when minimumReleaseAge is unset).

Diff is green; ready for review/merge.

[claude]

Thanks for addressing the earlier feedback — the trim-before-parse_f64, finite-check, idempotency guard, and bun pm trust configVersion preservation all look right now. I didn't find anything new, but given this introduces ConfigVersion::V2 and the gated 2-day default rollout for 1.4 (plus several new unsafe disjoint-borrow sites), I'd like a human to sign off on the design.

Extended reasoning...

Overview

This PR makes two changes to minimumReleaseAge: (1) accepts ms-style duration strings via a new bun_core::parse_ms() and threads it through bunfig + CLI parsing; (2) introduces ConfigVersion::V2 with a 2-day default minimumReleaseAge for fresh projects, gated behind BREAKING_CHANGES_1_4 / BUN_FEATURE_FLAG_INSTALL_CONFIG_V2. A new apply_config_version_defaults() helper is wired into install_with_manager, bun outdated, bun update -i, and bun pm trust. ~15 files, ~600 lines, plus docs and ~320 lines of new tests.

Security risks

The feature itself is a supply-chain security control. The earlier 1000×-weakening risks (quoted bare-number → ms, trailing-whitespace fallthrough, NaN/inf acceptance) have all been fixed in the latest revision. The remaining risk surface is the configVersion gating: an existing-project lockfile must not be silently bumped to V2. The bun pm trust path is now covered; my earlier note about bun pm migrate was a "please confirm" rather than a confirmed bug. No injection/auth concerns.

Level of scrutiny

High. This is core bun install resolution behaviour, introduces a version-gated default that will change what every new project resolves once 1.4 ships, and adds several unsafe { &mut *pm_ptr } projections with SAFETY comments asserting disjoint borrows against load_result. The MAX_KNOWN vs CURRENT split in ConfigVersion and the env-var promotion logic in apply_config_version_defaults are design decisions a maintainer should ratify.

Other factors

All four of my prior inline issues (bare-number string units, idempotency under update -i, bun pm trust clobber, trim/finite validation) are addressed in 4652952. Test coverage is good (59 passing, including flag-on/flag-off, v1/v2 lockfile preservation, and 0-disables). The one remaining CI failure (fetch-tcp-keepalive.test.ts) is unrelated. The CodeRabbit nit about stdout in test guards is cosmetic. This is well-executed but not the kind of mechanical change I'd approve without a human looking at the rollout design.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/pm/cli/install.mdx`:
- Around line 344-345: Update the documentation to clarify that the default
value for minimumReleaseAge (and the related minimumReleaseAgeExcludes) is
conditional on the project's configVersion: state that the shown default
(minimumReleaseAge = "2d") applies to new projects or when configVersion ≥ 2,
whereas existing projects with older lockfiles retain their previous behavior;
reference the configVersion symbol and the two keys minimumReleaseAge and
minimumReleaseAgeExcludes so readers know the conditional relationship.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c801de20-7a72-4038-8c81-19eff53fd833

📥 Commits

Reviewing files that changed from the base of the PR and between f38bd23 and 97e6596.

📒 Files selected for processing (5)

• docs/pm/cli/install.mdx
• docs/runtime/bunfig.mdx
• src/bun_core/env_var.rs
• src/bun_core/fmt.rs
• src/bun_core/lib.rs

[claude]

No bugs found and all prior review feedback has been addressed, but this introduces the ConfigVersion V2 rollout mechanism plus a gated security-relevant default that will affect every fresh project in 1.4 — worth a human pass on the design (2-day value, MAX_KNOWN clamping, bun pm migrate → CURRENT) before merging.

Extended reasoning...

Overview

This PR makes two changes to minimumReleaseAge: (1) accepts ms-style duration strings via a new bun_core::parse_ms() helper, wired through both the CLI flag parser and the bunfig EString branch; (2) introduces ConfigVersion::V2 with a gated 2-day default minimumReleaseAge for fresh projects, applied via a new apply_config_version_defaults() method that is called from install_with_manager, bun outdated, bun update -i, and bun pm trust. It also adds ConfigVersion::MAX_KNOWN (distinct from CURRENT while gated), the BUN_FEATURE_FLAG_INSTALL_CONFIG_V2 env var, ~320 lines of new tests, doc updates, a bunEnv harness tweak, and an unrelated bake-codegen.ts bootstrap-compat fix. 17 files total.

Security risks

minimumReleaseAge is itself a supply-chain attack mitigation. The PR does not weaken it for existing users (the V2 default is purely additive and gated behind BREAKING_CHANGES_1_4), and the parse-path changes were hardened during review (bare-number-string → seconds consistency, NaN/inf rejection, leading/trailing whitespace trim). I see no injection, auth, or data-exposure surface here. The main residual risk is design-level: the configVersion gating must correctly distinguish fresh vs. existing projects across every lockfile-writing path, and one such path (bun pm trust) was missed in the initial revision and caught during review — a human should confirm there are no others.

Level of scrutiny

High. This is core package-manager resolution logic, introduces a new versioned-defaults rollout mechanism that will govern how breaking install defaults ship in 1.4 and beyond, and adds four unsafe { &mut *pm_ptr } raw-pointer reborrows with disjoint-field SAFETY arguments across separate command entrypoints. The 2-day default value, the decision that bun pm migrate writes CURRENT (vs. preserving the migrated-from version like implicit migration does), and the MAX_KNOWN clamping semantics for future lockfiles are all product/design choices a maintainer should explicitly ratify.

Other factors

The PR went through five rounds of substantive fixes during review (quoted-bare-number ms-vs-seconds, apply_config_version_defaults idempotency for update -i, bun pm trust configVersion clobber, NaN/inf + trailing-space handling, bunEnv ambient-flag leak), all now resolved with tests. Test coverage for the new behaviour is thorough (59 passing). The current bug-hunting run found nothing. This is well-executed but not the kind of mechanical change that should bypass human review.

[alii]

@robobun Stack another pr on this to add a Bun.ms API which is just like the ms package (roughly same API). Look for issues and previous PR attempts at this API because I think it was tried before.

[alii]

@robobun Just checking you didn't miss this (Bun.ms)?

[claude]

No new issues on this pass — all earlier threads are resolved (the two remaining bare .is_some() reads are deferred to #31608 as noted). I'm not auto-approving since this touches package-manager manifest fetching / version resolution and the semantics of a security filter across several files, so it's worth a maintainer's sign-off; also noting alii's open question about the Bun.ms stack.

Extended reasoning...

Overview

This PR teaches bun install's minimumReleaseAge filter to accept npm-ms-style duration strings ("3d", "1 week", etc.) in addition to bare seconds, and makes 0 behave as a true disable (no extended-manifest fetch). It touches 10 files: a new parse_ms() parser in bun_core/fmt.rs, the CLI flag parser, the bunfig EString branch, Some(0.0)-as-disabled guards across PackageManagerEnqueue.rs / PopulateManifestCache.rs / npm.rs, two doc pages, and ~230 lines of new tests. The configVersion-V2 / 2-day-default half was split out to #31608 and the Bun.ms API to #31613.

Security risks

The feature being modified is itself a supply-chain security control. The risks I looked for earlier in the review — a quoted bare number being read as ms (1000× weakening), trailing-whitespace fallthrough to parse_ms, NaN/inf acceptance, and 0 forcing the extended manifest — have all been fixed and are covered by tests. There is no new attack surface (no auth/crypto/network-origin handling); the only network-facing effect is which Accept header is sent for registry manifests, and that change is in the less-information direction when the filter is disabled. I see no injection or data-exposure risk.

Level of scrutiny

Moderate-to-high. The diff is not large per file, but it spans the package manager's manifest-fetching and version-resolution paths, changes the semantics of a documented security knob (0 now fully disables rather than filtering with a zero threshold), and introduces a new hand-rolled parser with several edge cases. The PR has been through multiple bug-fix rounds during review, which is a good sign for the final state but also indicates the change was non-trivial to get right.

Other factors

• Test coverage is solid: 7 new test cases covering CLI/bunfig duration strings (with/without spaces), bare-number-as-seconds, invalid rejection, and a dedicated registry test asserting the abbreviated-manifest Accept header when minimumReleaseAge = 0.
• All prior inline threads (mine and CodeRabbit's) are resolved; the two remaining bare .is_some() reads in outdated_command.rs / update_interactive_command.rs are intentionally deferred to the stacked #31608 per the author, and I'd previously flagged them as nit-level / no user-visible impact.
• A maintainer (alii) has an open coordination question from May 30 about the Bun.ms follow-up that hasn't been answered in-thread (though the PR description and the May 14 status comment both reference #31613).
• Given the security-adjacent subsystem and the breadth of files touched, this is past my threshold for auto-approval and deserves a human merge decision.