Based on the article by Dani Akash: Minimum Release Age is an Underrated Supply Chain Defense, configuring your package managers to delay installing newly published packages by 7 days is a highly effective defense against malicious supply chain attacks.
Below are the global configuration snippets and file paths for all major operating systems.
Bun uses seconds for its configuration (7 days = 604,800 seconds).
File Paths:
- macOS / Linux:
~/.bunfig.toml - Windows:
%USERPROFILE%\.bunfig.toml
Configuration:
[install]
minimumReleaseAge = 604800
npm uses days for its configuration.
File Paths:
- macOS / Linux:
~/.npmrc - Windows:
%USERPROFILE%\.npmrc
Configuration:
min-release-age=7
pnpm uses minutes for its configuration (7 days = 10,080 minutes). Do not use pnpm-workspace.yaml for global setups; use the global config file instead.
File Paths:
- macOS / Linux:
~/.config/pnpm/config.yaml - Windows:
%LOCALAPPDATA%\pnpm\config\config.yaml
Configuration:
minimumReleaseAge: 10080
Yarn uses a duration string.
File Paths:
- macOS / Linux:
~/.yarnrc.yml - Windows:
%USERPROFILE%\.yarnrc.yml
Configuration:
npmMinimalAgeGate: "7d"
uv uses a duration string. Do not use pyproject.toml for global setups; use the user config file.
File Paths:
- macOS / Linux:
~/.config/uv/uv.toml - Windows:
%APPDATA%\uv\uv.toml
Configuration:
[tool.uv]
exclude-newer = "7d"
Because Deno handles this via CLI flags rather than config files, you must add a shell alias to your profile to enforce it globally.
File Paths:
- macOS / Linux:
~/.bashrcor~/.zshrc - Windows (PowerShell):
$PROFILE
Configuration (Bash/Zsh):
alias deno-update="deno update --minimum-dependency-age=7d"
Configuration (PowerShell):
function deno-update { deno update --minimum-dependency-age=7d $args }