undefined | Better HN

0 pointshn_throwaway_991d ago0 comments

I always wondered why it wasn't super easy to have a version specification in NPM that basically said "give me the latest version of this dependency as of X weeks ago". That is, hijacked modules usually were revealed within a week, and there are some groups (like security researchers) that are fine with being on the bleeding edge, but a lot of more conservative companies would rather hold back a week or two.

I know there are extensions and proxies you can set up that do this, but it just seems like it should be built in to NPM directly (maybe it has, I haven't been up on Node programming in the last couple years).

0 comments

davidjkerber1d ago

Just sharing for awareness, NPM does support that as of February: https://socket.dev/blog/npm-introduces-minimumreleaseage-and...

It must have been a very quiet announcement because I just found out about it this week.

hn_throwaway_99OP9h ago

Thanks, didn't know this was added!

j / k navigate · click thread line to collapse

0 comments

davidjkerber1d ago

Just sharing for awareness, NPM does support that as of February: https://socket.dev/blog/npm-introduces-minimumreleaseage-and...

It must have been a very quiet announcement because I just found out about it this week.

hn_throwaway_99OP9h ago

Thanks, didn't know this was added!

j / k navigate · click thread line to collapse