fix(npm): use packageName for pnpm overrides with range selectors in minimumReleaseAgeExclude

[oikarinen]

Changes

When a pnpm.overrides entry uses a version range selector (e.g. "fast-xml-parser@<=5.3.5": "5.5.7"), Renovate was generating an invalid minimumReleaseAgeExclude entry like fast-xml-parser@<=5.3.5@5.5.7 instead of fast-xml-parser@5.5.7, causing pnpm install to fail with ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE.

The root cause: depName for pnpm overrides with range selectors contains the full override key (needed for correctly updating package.json), but minimumReleaseAgeExclude requires exact package name + version pairs.

Fix by using upgrade.packageName ?? upgrade.depName when constructing minimumReleaseAgeExclude entries. packageName holds the bare npm package name (fast-xml-parser) as parsed by @pnpm/parse-overrides, while depName retains the full key. Falls back to depName for all other dependency types where packageName is not set, preserving existing behaviour.

Context

• This doesn't close an Issue, but I accept the risk that this PR may be closed if maintainers disagree with its opening or implementation

AI assistance disclosure

• Yes — substantive assistance (AI-generated non-trivial portions of code, tests, or documentation).

Made with Cursor (claude-4.6-sonnet). AI was used for root cause analysis, implementation, tests, and documentation.

Documentation (please check one with an [x])

• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Newly added/modified unit tests

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}