Obviously, adding a minimum age isn't going to guarantee you're not impacted, but it's a baseline starting point for reducing the impact of new package versions.

🔗  Key Links 🔗
- https://chrispennington.dev/blog/stop-installing-packages-the-second-theyre-published

---------------------------------------

🌐 Connect With Me 🌐 
- Astro course: https://learnastro.dev
- Website: https://codinginpublic.dev
- Blog: https://chrispennington.blog

🤝 Follow Me 🤝
- Twitter: https://twitter.com/cpenned
- BlueSky: https://bsky.app/profile/codinginpublic.dev

💸 Support Me 💸
- Patreon: https://www.patreon.com/coding_in_public
- Buy Me a Coffee: https://www.buymeacoffee.com/chrispennington

Coding in Public

Recent supply chain attacks targeting popular npm packages like Axios, Next.js, and TanStack highlight the inherent security risks of the npm ecosystem. A practical mitigation is setting a minimum release age for packages, so your package manager won't install anything published too recently. PNPM, Yarn, Bun, and npm all support this feature (though with different naming and units). PNPM v11 defaults to a 1-day minimum automatically. Configuration is done via .npmrc, bunfig.toml, yarnrc.yml, or pnpm-workspace.yaml files. Most tools also allow excluding specific trusted packages from the restriction.

Protect yourself from npm dependency attacks