This is a practical baseline for reducing exposure to short-lived npm supply-chain attacks. The idea is simple: do not install package versions until they have existed long enough for malicious releases to be reported, removed, or fixed.
This config sets a 5-day minimum package age for npm, pnpm, Yarn, and Bun.
Different package managers use different names and units: