We need cooldowns everywhere , by default. Development package managers, OS package managers, ...

uyzstvqs • today at 4:04 PM • 3 replies • view on HN

We need cooldowns everywhere, by default. Development package managers, OS package managers, browser extensions. Even auto-updates in standalone apps should implement it. Give companies like Socket time to detect malicious updates. They're good at it, but it's pointless if everyone keeps downloading packages just minutes after they're published.

Replies

eranation • today at 4:50 PM

Exactly this. For anyone who wants to do it for various package managers:

  ~/.npmrc: 
  min-release-age=7 (npm 11.10+)

  ~/Library/Preferences/pnpm/rc: 
  minimum-release-age=10080 (minutes)

  ~/.bunfig.toml 
  [install]: 
  minimumReleaseAge = 604800 (seconds)

This would have protected the 334 people who downloaded @bitwarden/cli 2026.4.0 ~19h ago (according to https://www.npmjs.com/package/@bitwarden/cli?activeTab=versi...). Same for axios last month (removed in ~3h). Doesn't help with event-stream-style long-dormant attacks but those are rarer.

(plug: released a small CLI to auto-configure these — https://depsguard.com — I tried to find something that will help non developers quickly apply recommended settings, and couldn't find one)

➕ show 1 reply

srigi • today at 4:41 PM

That is why we have discussions like these: https://x.com/i/status/2039099810943304073

➕ show 1 reply

tomjen3 • today at 5:20 PM

I am not sure that works - imagine that the next shellshock had been found. Would you want to wait 7 days to update?

We need to either screen everybody or cut of countries like North Korea and Iran from the Internet.

➕ show 1 reply

alt Hacker News

Replies