StepSecurity has released an NPM Package Cooldown Check, a GitHub PR check that automatically blocks pull requests introducing npm package versions published within the last 48 hours. The configurable cooldown period gives the security community time to detect malicious releases before teams adopt them. The check integrates into GitHub workflows, provides clear failure messages with auto-resolution timing, supports admin overrides for emergency patches, and works alongside Dependabot. It is part of a broader suite of supply chain security checks including a compromised packages check, PWN Request detection, and script injection scanning for GitHub Actions workflows.
Table of contents
What is the NPM Package Cooldown Check?Walkthrough: Blocking a Newly Released Package in a PRAdopting the Cooldown Check in Your PipelinePart of a Broader Security InitiativeConclusion and Next StepsSort: