npm rolls out a package release cooldown and scalable trusted publishing updates as ecosystem adoption of install safeguards grows.

Socket

npm CLI 11.10.0 introduces three notable security and workflow improvements. The new `minimumReleaseAge` setting lets teams enforce a cooldown before newly published package versions can be installed, reducing exposure to malicious packages before detection. A new `--allow-git` flag closes a code execution path via Git dependencies that could bypass `--ignore-scripts`. Bulk OIDC configuration via `npm trust` allows maintainers to configure trusted publishing across multiple packages at once, easing migration from classic tokens. These changes align npm with pnpm, Yarn, and Bun, which already offer release-age gating, signaling that time-based install gating is becoming a standard supply chain defense across the JavaScript ecosystem.

npm Introduces minimumReleaseAge and Bulk OIDC Configuration

Closing a Git Execution Path During Install #

Bulk OIDC Configuration for Trusted Publishing #

Ecosystem Alignment on Supply Chain Controls #