We’re excited to announce the release of our NPM Package Cooldown Check, which helps teams block newly released, potentially compromised dependencies, while still allowing emergency fixes and integrating seamlessly into GitHub workflows

StepSecurity

StepSecurity has released an NPM Package Cooldown Check, a GitHub PR check that automatically blocks pull requests introducing npm package versions published within the last 48 hours. The configurable cooldown period gives the security community time to detect malicious releases before teams adopt them. The check integrates into GitHub workflows, provides clear failure messages with auto-resolution timing, supports admin overrides for emergency patches, and works alongside Dependabot. It is part of a broader suite of supply chain security checks including a compromised packages check, PWN Request detection, and script injection scanning for GitHub Actions workflows.

Introducing the NPM Package Cooldown Check

Walkthrough: Blocking a Newly Released Package in a PR

Adopting the Cooldown Check in Your Pipeline