logoalt Hacker News

postalcodertoday at 4:05 AM17 repliesview on HN

PSA: npm/bun/pnpm/uv now all support setting a minimum release age for packages.

I also have `ignore-scripts=true` in my ~/.npmrc. Based on the analysis, that alone would have mitigated the vulnerability. bun and pnpm do not execute lifecycle scripts by default.

Here's how to set global configs to set min release age to 7 days:

  ~/.config/uv/uv.toml
  exclude-newer = "7 days"

  ~/.npmrc
  min-release-age=7 # days
  ignore-scripts=true
  
  ~/Library/Preferences/pnpm/rc
  minimum-release-age=10080 # minutes
  
  ~/.bunfig.toml
  [install]
  minimumReleaseAge = 604800 # seconds
(Side note, it's wild that npm, bun, and pnpm have all decided to use different time units for this configuration.)

If you're developing with LLM agents, you should also update your AGENTS.md/CLAUDE.md file with some guidance on how to handle failures stemming from this config as they will cause the agent to unproductively spin its wheels.

Replies

friendzistoday at 5:35 AM

> (Side note, it's wild that npm, bun, and pnpm have all decided to use different time units for this configuration.)

First day with javascript?

show 4 replies
flanbiscuittoday at 5:49 AM

Pnpm did this first but I’m glad to see all the others follow suit

For anyone wondering, you need to be on npm >= 11.10.0 in order to use it. It just became available Feb 11 2026

https://github.com/npm/cli/releases/tag/v11.10.0

superjantoday at 5:16 AM

About the use of different units: next time you choose a property name in a config file, include the unit in the name. So not “timeout” but “timeoutMinutes”.

show 3 replies
powerpixeltoday at 9:25 AM

Is there a way to do that per repo for these tools ? We all know how user sided configuration works for users (they usually clean it whenever it goes against what they want to do instead of wondering why it blocks their changes :))

show 1 reply
sspifftoday at 9:26 AM

It's wild that none of these are set by default.

I know 90% of people I've worked with will never know these options exist.

show 2 replies
cowltoday at 9:24 AM

min release age to 7 days about patch releases exposes you to the other side of the coin, you have an open 7 days window on zero-day exploits that might be fixed in a security release

show 5 replies
mhiotoday at 4:33 AM

and for yarn berry

    ~/.yarnrc.yml
    npmMinimalAgeGate: "3d"
jdxcodetoday at 11:12 AM

lol with mise I used a fourth time unit: https://mise.jdx.dev/configuration/settings.html#install_bef...

XYen0ntoday at 4:39 AM

If everyone avoids using packages released within the last 7 days, malicious code is more likely to remain dormant for 7 days.

show 9 replies
cvaktoday at 8:03 AM

I think the npm doesn't support end of line comments, so

  ~/.npmrc
  min-release-age=7 # days
actually doesn't set it at all, please edit your comment.

EDIT: Actually maybe it does? But it's weird because

`npm config list -l` shows: `min-release-age = null` with, and without the comment. so who knows ¯\_(ツ)_/¯

show 1 reply
ashishbtoday at 6:53 AM

Run npm/pnpm/bun/uv inside a sandbox.

There is no reason to let random packages have full access to your machine

show 1 reply
WD-42today at 5:36 AM

Props to uv for actually using the correct config path jfc what is “bunfig”

show 1 reply
antiherotoday at 9:47 AM

npm is claiming this doesn’t exist

show 1 reply
umko21today at 6:10 AM

The config for uv won't work. uv only supports a full timestamp for this config, and no rolling window day option afaik. Am I crazy or is this llm slop?

show 2 replies
imhoguytoday at 8:43 AM

Good luck with any `npm audit` in a pipeline. Sometimes you have to pull the latest release because the previous one had a critical vulnerability.

shreysshtoday at 9:29 AM

[dead]

novachentoday at 7:22 AM

[dead]