mirror of
https://github.com/oven-sh/bun
synced 2026-02-15 13:22:07 +00:00
0dbe6a3eb9
Adds minimumReleaseAge configuration to prevent installation of recently published packages, protecting against supply chain attacks where malicious versions are quickly published and removed. ## Security Features - Filters packages at resolution time based on npm publish timestamps - NEVER allows packages violating the policy, even with exact versions (e.g., "pkg@1.2.3") - Treats invalid/missing timestamps as brand new packages (fail-safe) - Strict ISO8601 timestamp validation (exactly 24 chars: YYYY-MM-DDTHH:MM:SS.sssZ) ## Configuration In bunfig.toml: ```toml [install] minimumReleaseAge = 1440 # minutes (24 hours) minimumReleaseAgeExclude = ["trusted-package", "internal-pkg"] ``` ## Implementation Details - Works with: install, add, update, update --interactive, outdated - Shows warnings when newer versions exist but are blocked - Clear error messages mentioning minimumReleaseAge when packages are blocked - Backwards compatible: existing lockfiles continue to work - Zero performance impact when not configured ## Comparison with pnpm - Stricter timestamp validation than pnpm (which uses loose Date parsing) - Fail-safe design: invalid data = maximum restriction - Explicit blocking of exact versions for maximum security - Equal or better security in all aspects Note: Like pnpm, frozen lockfiles created before the policy cannot enforce it since timestamps aren't stored in lockfiles (backwards compatibility constraint). 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>