npm
(FR): Implement 'minimumReleaseAge' as a security feature (like pnpm added recently)
Ref:
- https://github.com/pnpm/pnpm/issues/9921
- https://pnpm.io/settings#minimumreleaseage
- https://socket.dev/blog/pnpm-10-16-adds-new-setting-for-delayed-dependency-updates
- https://github.com/raineorshine/npm-check-updates/issues/1532
Copying an excerpt from one of these articles:
Following a wave of high-profile supply chain attacks targeting popular npm packages, pnpm has shipped a new minimumReleaseAge setting in version 10.16 that delays installation of newly published packages.
There is also this RRFC for npm from 2022:
- https://github.com/npm/rfcs/issues/646
Maybe this new issue would be considered as a duplicate of this other issue.
There also should be an easy way to ignore postinstall scripts for dependencies that aren't on a specific whitelist (also like Pnpm has). That way I could allow scripts for e.g. esbuild, but not for every other dependency or subdependency which has no need for them.
Edit: there is an existing RFC requesting this from 2021, and an even older discussion going back to 2019.
Maybe this new issue would be considered as a duplicate of this other issue.
This is not a duplicate. The proposed here minimumReleaseAge is not the same as proposed stabilityDays in https://github.com/npm/rfcs/issues/646
I described the difference here: https://github.com/npm/rfcs/issues/646#issuecomment-3300329373
So, correct me if I'm wrong, but from reading the docs about the --before flag and the discussion at npm/rfcs#646 (especially this comment)
...the main differences compared to the current --before would be:
- The format of the string passed to the flag: date string in npm's
--beforeVS a number (of minutes) in pnpm's--minimumReleaseAge. (It’s convenient: set it up once and forget about it). - The behavior resolving a dist-tag like
some-package@latest, as--beforeseems to resolve to a previous major in some cases.
It’s convenient
I would argue however, the real power comes from devs and more importantly projects being able to set a default policy for everyone working on the project (through npmrc, environment variables and alike).
@limonte
As per your comment in https://github.com/npm/rfcs/issues/646#issuecomment-3305813827 , do you mean that --before in npm (https://docs.npmjs.com/cli/v11/commands/npm-install#before) can effectively provide the same functionality as pnpm's minimumReleaseAge (seemingly with a slightly different format of providing that duration) ?
@webextensions - this would be very handy if before flag accepted date math but from the docs it doesn't appear to support that.
Given its null or Date then the limitation with the current implementation is that it requires an absolute date vs. relative time from now which minimumReleaseAge includes.
@omonk plus --before or a default for it can not be set in an npmrc/environment variable, right?
@twesterhuys from the docs it's possible forbefore to be placed inside of a .npmrc file but I don't even know if a hacky implementation on a preinstall script could make this really dynamic. Having it native to the npm cli would be much better
@limonte As per your comment in npm/rfcs#646 (comment) , do you mean that
--beforein npm (https://docs.npmjs.com/cli/v11/commands/npm-install#before) can effectively provide the same functionality as pnpm'sminimumReleaseAge(seemingly with a slightly different format of providing that duration) ?
@webextensions I think so yes. It's less handy than minimumReleaseAge because you need to calculate now() - N days manually and pass that to --before as Date, but yes it's basically the same thing.
minimumReleaseAge also comes with minimumReleaseAgeExclude, which isn't supported via --before. If you're shipping a multi-component system then you need to pull in fresh versions of your trusted internally-maintained components without pulling in fresh exploits from outside.
The difference in naming probably causes confusion here but npm has had before for a while now which can indeed achieve exactly the same thing
This issue should probably be renamed to be clear that the missing functionality is that before should support date math. Not that npm needs a separate flag - npm is the one ahead here
Would be nice if this feature supported different policies for major, minor, and patch releases, like Dependabot does with its cooldown config options.
Would be nice if this feature supported different policies for major, minor, and patch releases, like Dependabot does with its
cooldownconfig options.
Thank you @mnemotic! I missed this recent Dependabot update: Dependabot supports configuration of a minimum package age
yarn also added this now
Adding references as I couldn't find a curated Yarn changelog 😬
https://medium.com/@roman_fedyskyi/yarn-4-10-adds-a-release-age-gate-for-safer-dependency-management-765c2d18149a https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate
https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg%2Fcli%2F4.10.0
What's Changed ... feat: implement npmMinimalAgeGate and npmPreapprovedPackages config options by @bienzaaron in https://github.com/yarnpkg/berry/pull/6901
EDIT: Thanks to @ljharb, it turns out npm's --before feature does apply to transitive dependencies, which is marvelous. Regardless of the configuration details, I'm happy such a feature simply exists at all. Thank you to the folks who made this happen!
For anyone interested, in addition to pnpm, similar functionality is now available in Yarn, Bun, Deno, and Python's uv package manager.
@Waldenesque you're incorrect; --before applies to the entire install, and will act as if you have literally travelled in time to the given date.
@ljharb
Thank you, this is beautiful news!
(If you have a magic wand capable of granting wishes, there's a few other things I'd like to be wrong about, too...)
Maybe this should be prioritized considering the ~~shit-hulu~~ shai-hulud mess?!
I’ve submitted a PR implementing this feature: npm/cli/pull/8825
It adds minimum-release-age and minimum-release-age-exclude options, with CLI, .npmrc, and environment variable support, along with tests.
Feedback welcome!
