Adds minimumReleaseAge configuration to prevent installation of recently published packages, protecting against supply chain attacks where malicious versions are quickly published and removed.
## Security Features
- Filters packages at resolution time based on npm publish timestamps
- NEVER allows packages violating the policy, even with exact versions (e.g., "pkg@1.2.3")
- Treats invalid/missing timestamps as brand new packages (fail-safe)
- Strict ISO8601 timestamp validation (exactly 24 chars: YYYY-MM-DDTHH:MM:SS.sssZ)
## Configuration
In bunfig.toml:
```toml
[install]
minimumReleaseAge = 1440 # minutes (24 hours)
minimumReleaseAgeExclude = ["trusted-package", "internal-pkg"]
```
## Implementation Details
- Works with: install, add, update, update --interactive, outdated
- Shows warnings when newer versions exist but are blocked
- Clear error messages mentioning minimumReleaseAge when packages are blocked
- Backwards compatible: existing lockfiles continue to work
- Zero performance impact when not configured
## Comparison with pnpm
- Stricter timestamp validation than pnpm (which uses loose Date parsing)
- Fail-safe design: invalid data = maximum restriction
- Explicit blocking of exact versions for maximum security
- Equal or better security in all aspects
Note: Like pnpm, frozen lockfiles created before the policy cannot enforce it since timestamps aren't stored in lockfiles (backwards compatibility constraint).
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
0dbe6a3eb9