npm needs an analog to pnpm's minimumReleaseAge and yarn's npmMinimalAgeGate
With the growing number of supply chain attacks in the npm ecosystem (for example, Shai-Hulud), package managers like pnpm and yarn have added a very handy configuration option that prevents the install of new packages: minimumReleaseAge and npmMinimalAgeGate, respectively.
These options allow developers to specify the minimum age of a dependency before it gets installed. For example, a development team could decide that if a package version has been in the wild for three days, then it's probably safe. This would be set up as follows:
pnpm:
{
"minimumReleaseAge": 1440 // in minutes
}yarn:
{
"npmMinimalAgeGate": "3d"
}Both package managers have a way to allowlist packages to bypass these rules as necessary.
This kind of safeguard is nice because the same thing that makes npm supply chain attacks valuable is what makes age gates effective: npm's popularity. Packages that receive a lot of use should receive a lot of scrutiny and there's a good chance any attempted attacks will be sniffed out fairly quickly.
npm really doesn't have this feature, which seems bad. There has been at least one attempt to add such a feature, but it was closed in favor of an existing PR to enhance the --before flag to parse relative dates. The way this would work is:
npm install --before=3dOr the before=3d can be added to .npmrc.
But this is insufficient because there is no escape hatch for trusted packages, which is important for internal dependencies.
Also, there is no mention of using the --before flag as a security mechanism in the npm docs. Perhaps this is pedantic, but I would like to see the npm docs focus explicitly on security and if this --before flag is intended to be a security mechanism it should be stated as such.