Last active
May 12, 2026 10:03
-
-
Save mgcrea/8d8d668bacaa3cb87843a4611ec9ef54 to your computer and use it in GitHub Desktop.
Supply-chain cooldown alias
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Supply-chain cooldown: refuse to install package versions younger than 24h. | |
| # Mitigates incidents that are usually caught and unpublished within hours | |
| # (chalk/debug, tinycolor, shai-hulud worm, etc.). Exempts @mgcrea (own scope). | |
| setup-pkg-cooldown() { | |
| local days=${1:-1} # default 1 day. 0 = remove the cooldown. | |
| local minutes=$(( days * 1440 )) | |
| local exclude="@mgcrea" | |
| # Strip any prior fenced block from a config file (portable, no sed -i). | |
| _pkg_cooldown_strip() { | |
| local f="$1" tmp | |
| [ -f "$f" ] || return 0 | |
| tmp=$(mktemp) || return 1 | |
| awk '/^# >>> pkg-cooldown >>>/,/^# <<< pkg-cooldown <<</{next} {print}' "$f" >"$tmp" && mv "$tmp" "$f" | |
| } | |
| # npm — ~/.npmrc. Key is `min-release-age` (numeric, unit = DAYS in npm 11.x). | |
| # No exclude key in npm yet. Write directly so we don't depend on `npm config | |
| # set` (option-name quirks across versions). | |
| local npmrc="$HOME/.npmrc" | |
| touch "$npmrc" | |
| _pkg_cooldown_strip "$npmrc" | |
| if (( days > 0 )); then | |
| cat >>"$npmrc" <<EOF | |
| # >>> pkg-cooldown >>> | |
| min-release-age=$days | |
| # <<< pkg-cooldown <<< | |
| EOF | |
| echo "npm: min-release-age=$days day(s) (~/.npmrc)" | |
| else | |
| echo "npm: cooldown removed (~/.npmrc)" | |
| fi | |
| # pnpm — write camelCase keys to pnpm's own globalconfig (NOT ~/.npmrc), so | |
| # npm doesn't warn "Unknown user config" on every invocation. `pnpm config set` | |
| # errors when CWD has a non-pnpm packageManager, so patch the file directly. | |
| if command -v pnpm >/dev/null 2>&1; then | |
| local pnpmrc="$HOME/Library/Preferences/pnpm/rc" | |
| mkdir -p "$(dirname "$pnpmrc")" | |
| touch "$pnpmrc" | |
| _pkg_cooldown_strip "$pnpmrc" | |
| if (( days > 0 )); then | |
| cat >>"$pnpmrc" <<EOF | |
| # >>> pkg-cooldown >>> | |
| minimumReleaseAge=$minutes | |
| minimumReleaseAgeExclude=$exclude | |
| # <<< pkg-cooldown <<< | |
| EOF | |
| echo "pnpm: minimumReleaseAge=$minutes min exclude=$exclude (~/Library/Preferences/pnpm/rc)" | |
| else | |
| echo "pnpm: cooldown removed (~/Library/Preferences/pnpm/rc)" | |
| fi | |
| fi | |
| # bun — patch ~/.bunfig.toml directly (no `bun config set` exists). | |
| if command -v bun >/dev/null 2>&1; then | |
| local bunfig="$HOME/.bunfig.toml" | |
| touch "$bunfig" | |
| _pkg_cooldown_strip "$bunfig" | |
| if (( days > 0 )); then | |
| cat >>"$bunfig" <<EOF | |
| # >>> pkg-cooldown >>> | |
| [install] | |
| minimumReleaseAge = $minutes | |
| minimumReleaseAgeExcludes = ["$exclude"] | |
| # <<< pkg-cooldown <<< | |
| EOF | |
| echo "bun: minimumReleaseAge=$minutes min exclude=$exclude (~/.bunfig.toml)" | |
| else | |
| echo "bun: cooldown removed (~/.bunfig.toml)" | |
| fi | |
| fi | |
| # npm-check-updates — ~/.ncurc.json. JSON file, so use jq to merge the | |
| # `cooldown` key without clobbering anything else. ncu accepts plain days. | |
| # Bypass at the CLI any time with `ncu -c 0`. | |
| if command -v jq >/dev/null 2>&1; then | |
| local ncurc="$HOME/.ncurc.json" | |
| [ -f "$ncurc" ] || echo '{}' >"$ncurc" | |
| local tmp; tmp=$(mktemp) | |
| if (( days > 0 )); then | |
| jq --argjson d "$days" '. + {cooldown: $d}' "$ncurc" >"$tmp" && mv "$tmp" "$ncurc" | |
| echo "ncu: cooldown=$days day(s) (~/.ncurc.json) [bypass: ncu -c 0]" | |
| else | |
| jq 'del(.cooldown)' "$ncurc" >"$tmp" && mv "$tmp" "$ncurc" | |
| # If the file is now empty `{}`, remove it. | |
| [ "$(jq -c '.' "$ncurc")" = "{}" ] && rm -f "$ncurc" | |
| echo "ncu: cooldown removed (~/.ncurc.json)" | |
| fi | |
| fi | |
| unset -f _pkg_cooldown_strip | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment