Add CLI flags for package release version dates

Open angeloreale opened this issue 1 month ago • 1 comments

Would it be possible to consider an RFC for adding flags to npm CLI to specify dates from/until which any dependency or sub dependencies should be installed from?

e.g npm i --until 20250908

It can stderr if semver is not matching a major or minor release. This could also be a strict level flag.

e.g. npm i --until 20250908 --preserve major

The motivation is to enable organizations to respond to supply-chain security incidents faster, and with greater certainty.

e.g

https://snyk.io/blog/sha1-hulud-npm-supply-chain-incident/

Thank you.

Nov 26 '25 13:11 angeloreale

There are already --before and #8570, so I think this is a dup.

Nov 26 '25 21:11 dallmair