[Bug?]: `npmPreapprovedPackages` not working for private registry

[oblador]

Self-service

• I'd be willing to implement a fix

Describe the bug

#6901 introduced a much needed npmMinimalAgeGate setting and npmPreapprovedPackages to opt out of it. However when using a private npm registry for a certain scope, the opt out setting doesn't seem to apply properly. On public packages it works however. I can't really explain why, but maybe this is because it's using meta data from the public registry (where the package doesn't exist)?

To reproduce

# .yarnrc.yml
npmMinimalAgeGate: 10000
npmPreapprovedPackages: 
  - "@some-scope/*"

npmScopes:
  some-scope:
    npmRegistryServer: "https://domain"

Environment

System:
    OS: macOS 15.6.1
    CPU: (10) arm64 Apple M1 Max
  Binaries:
    Node: 22.13.0
    Yarn: 4.10.0
    npm: 10.9.2

Additional context

No response

[arcanis]

That looks strange - can you use yarn set version from sources --no-minify and add some logging around the isPackageApproved function to see what you get when it queries this private package?

[karl-run]

Hmm, this exact thing works for me. Interactive upgrade even suggests downgrading to a less-than minimal age gate version.

[karl-run]

With only npmMinimalAgeGate: 2880

With

npmPreapprovedPackages:
  - '@navikt/*'

as well:

My .yarnrc.yml.

[oblador]

Ah it seems that on Gitlab CI the NPM registry doesn't have the time field for publish times which causes it to throw an error. If I default it to an empty object it works. Want me to send a PR for that?

[arcanis]

That'd be great, thanks!

[arcanis]

Ideally we could even report a new error explaining that the registry doesn't offer time capabilities - something like:

➤ YN0060: │ foo: Remote doesn't support npmMinimalAgeGate; use npmPreapprovedPackages to override

[oblador]

Honestly not sure how to properly propagate such an error given the try/catch statement.