PSA: *Supply Chain* Attacks
Protect yourself from installing compromised packages from an unlucky npm install at the wrong time. Turn it on now; it's free!
Turn on Release Age Cooldown
Protect yourself from installing compromised packages from an unlucky npm install at the wrong time. Turn it on now; it's free!
It won't pick up packages newer than the configured age, and this applies to dependencies of dependencies too.
Most of these packages are caught and pulled from the registry within hours by security researchers or maintainers; this setting makes a real difference.
| Setting | Min Version | Auto Enabled | |
|---|---|---|---|
| pnpm | minimumReleaseAge | 10.16.0 | 11+ |
| yarn | npmMinimalAgeGate | 4.10.0 | 4.10+ |
| npm | min-release-age | 11.10.0 | N/A |
| bun | minimumReleaseAge | 1.3.0 | N/A |
pnpm
Unit is minutes. Put this in pnpm-workspace.yaml:
minimumReleaseAge: 1440 # 1 day
minimumReleaseAgeExclude:
- "@myorg/*"
minimumReleaseAgeStrict: true
yarn
Unit is a duration string. Put this in .yarnrc.yml:
npmMinimalAgeGate: "1d"
npmPreapprovedPackages:
- "@myorg/*"
npm
Unit is days. No exclude mechanism yet. Put this in .npmrc:
min-release-age=1
bun
Unit is seconds. Put this in bunfig.toml:
[install]
minimumReleaseAge = 86400 # 1 day
minimumReleaseAgeExcludes = ["@types/bun"]
A note on lockfiles
Frozen lockfile installs skip the check entirely; only dependency resolution triggers it. New package installs, upgrades, and rebuilds of the lockfile are the spooky things.
The exclusion list
Sometimes you need the latest security patch. Use the exclusion config to install something still in the cooldown window.
Stay safe out there.