[RRFC] expanding behavior of `--before` to support date adjustment and setting via config

[MylesBorins]

Motivation ("The Why")

--before is an excellent feature for reliability as being able to run install in a project "as if it were in the past"... it has an additional benefit in that it can be used to create a temporary delay in what you are consuming from the registry which can offer a level of protection from a supply chain attack. Utilizing a bit of unix ingenuity we can do something fancy like the below to enforce all installs to have a 7 day delay, potentially protecting you from a supply chain attack (which are often dealt with relatively quickly) without having to pin dependencies in a way that may make you susceptible to unpatched known vulnerabilities.

npm install --before="$(date -v -7d)"

Date has pretty expansive syntax for setting date adjustment specifically

If val is numeric, one of either y, m, w, d, H, M or S must be used to specify which part of the date is to be adjusted.

It would be great if we could pass this type of syntax directly to --before, or another similar flag, to allow support in a platform independent way (the above solution wouldn't work on windows).

Further it would be amazing if we could set this as a configuration in a global or local .npmrc allow developers to manage this at a project or system level.

Example

npm install --before-relative 7d
npm install --before-relative 30M
npm install --before-relative 1y

How

Current Behaviour

I believe this is covered above

Desired Behaviour

I believe this is covered above

References

• https://twitter.com/MylesBorins/status/1506327513236180992

[bnb]

in your 30m example, is that months or minutes?

[MylesBorins]

In the case of date m is month and M is minutes

[ljharb]

My suggestion is to use the ISO 8601 standard DSL for this, which Temporal.Duration will use: https://tc39.es/proposal-temporal/docs/duration.html