Only install packages that are at least X weeks old

Question

I would like to restrict the installation of npm package in some projects of my company to releases that are at least X weeks old.

The reason for that being that given enough time before installing a package version, it is likely that if the package maintainer was compromised and contains malicious code (in the package itself or in postinstall script), it will have been caught and removed from the public npm registry.

I could easily ask our developers to manually install versions that are at least X weeks old, however they are likely to install transitive dependencies that are not locked on a specific version, which can result in the installation of a transitive dependency that is only a few hours old.

Is there a way to force npm to only install packages that are at least X weeks old, including for transitive dependencies ?

Answer 1

There are a few vendors that cover this usecase that you might find by googling. It seems that they are called [npm] registry firewall.

The way they work is that developers change their default registry from the public npm registry to the registry firewall. The registry firewall then act as a proxy between the developer and the public registry and decide on which package and package version to allow.

In the registry firewall, you can configure policies such as:

• forbid postinstall scripts
• forbid some package or specific package version
• delay upstream so that only package release that are only X days old can be installed

Some of them might deliver additional features such as SBOM / SCA...