Skip to content

Instantly share code, notes, and snippets.

View archasek's full-sized avatar

archas archasek

  • Warsaw, Poland
View GitHub Profile
@Git-on-my-level
Git-on-my-level / js-package-manager-release-age-gates.md
Created May 12, 2026 02:51
Supply chain attack mitigation - set a bake period for js ecosystem package managers

Add a 5-day release-age gate for JavaScript package managers

This is a practical baseline for reducing exposure to short-lived npm supply-chain attacks. The idea is simple: do not install package versions until they have existed long enough for malicious releases to be reported, removed, or fixed.

This config sets a 5-day minimum package age for npm, pnpm, Yarn, and Bun.

What gets configured

Different package managers use different names and units:

@Unitech
Unitech / bootstrap
Last active February 9, 2018 15:22
PM2 / Keymetrics for Heroku/Rackspace/Joyent/Amazon Elasticbeanstalk/Azure...
http://pm2.keymetrics.io/docs/usage/use-pm2-with-cloud-providers/