> (Side note, it's wild that npm, bun, and pnpm have all decided to use different time units for this configuration.)

First day with javascript?

About the use of different units: next time you choose a property name in a config file, include the unit in the name. So not “timeout” but “timeoutMinutes”.

Pnpm did this first but I’m glad to see all the others follow suit

For anyone wondering, you need to be on npm >= 11.10.0 in order to use it. It just became available Feb 11 2026

https://github.com/npm/cli/releases/tag/v11.10.0

> PSA: npm/bun/pnpm/uv now all support setting a minimum release age for packages.

The solution is not moar toolz. That's the problem—this crazy mindset that the problems endemic to bad tooling have a solution in the form of complementing them with another layer, rather than fewer.

Git and every sane SCM already allow you to manage your source tree without jumping through a bunch of hoops to go along with wacky overlay version control systems like the one that the npmjs.com crew designed, centering around package.json as a way to do an end-run around Git. You don't need to install and deploy anything containing never-before-seen updates just because the NodeJS influencer–developers say that lockfiles are the Right Way to do things. (It's not.)

Opting in to being vulnerable to supply chain attacks is a choice.

<https://news.ycombinator.com/item?id=46006471>

<https://news.ycombinator.com/item?id=46360308>

Is there a way to do that per repo for these tools ? We all know how user sided configuration works for users (they usually clean it whenever it goes against what they want to do instead of wondering why it blocks their changes :))

min release age to 7 days about patch releases exposes you to the other side of the coin, you have an open 7 days window on zero-day exploits that might be fixed in a security release

mise has an option as well (note the caveats though):

https://mise.jdx.dev/configuration/settings.html#install_bef...

And homebrew has discussed it, kinda sorta:

https://github.com/Homebrew/brew/issues/21129

It's wild that none of these are set by default.

I know 90% of people I've worked with will never know these options exist.

and for yarn berry

    ~/.yarnrc.yml
    npmMinimalAgeGate: "3d"

And when you actually need a super hot fix for a 0-day, you will need to revert this and keep it that way for some time to then go back to minimum age.

While this works, we stillneed a permanent solution which requires a sort of vetting process, rather than blindly letting everything through.

If everyone avoids using packages released within the last 7 days, malicious code is more likely to remain dormant for 7 days.

lol with mise I used a fourth time unit: https://mise.jdx.dev/configuration/settings.html#install_bef...

I think the npm doesn't support end of line comments, so

  ~/.npmrc
  min-release-age=7 # days 

EDIT: Actually maybe it does? But it's weird because

`npm config list -l` shows: `min-release-age = null` with, and without the comment. so who knows ¯\_(ツ)_/¯

Where in the pnpm documentation does it say that it ignores scripts by default?

From https://pnpm.io/cli/install#--ignore-scripts:

> Default: *false*

Run npm/pnpm/bun/uv inside a sandbox.

There is no reason to let random packages have full access to your machine

Props to uv for actually using the correct config path jfc what is “bunfig”

Everyone has forgotten standard ISO 8601 durations and invented their own syntax.

The config for uv won't work. uv only supports a full timestamp for this config, and no rolling window day option afaik. Am I crazy or is this llm slop?

Good luck with any `npm audit` in a pipeline. Sometimes you have to pull the latest release because the previous one had a critical vulnerability.

npm is claiming this doesn’t exist

[dead]

[dead]

[dead]