Setting a minimum release age (a "cooldown") on dependencies is a cheap, high-leverage defense against supply-chain attacks. Most malicious package versions are detected and yanked within hours, so a 24-hour delay filters out the smash-and-grab incidents (axios 1.14.1, ua-parser-js, Solana web3.js, etc.).
All four major Node.js package managers now support this, but each one used a different name and a different unit. Here is what you need.
| Tool | Setting | Unit | Introduced in |
|---|---|---|---|
| npm | min-release-age |
days | npm CLI 11.10.0 (Feb 2026) |
| pnpm | minimumReleaseAge |
minutes | pnpm 10.16 (Sep 2025); default 1440 since pnpm 11.0 |
| Yarn | npmMinimalAgeGate |
minutes | Yarn Berry 4.10.0 |
| Bun | minimumReleaseAge |
seconds | Bun 1.3.0 |
Add to .npmrc in the project root:
min-release-age=1The value is in days. Do not combine with --before in the same invocation — npm errors out if both are present. Depending on the version of the npm CLI you're running, you may receive a warning such as:
npm warn Unknown project config "min-release-age". This will stop working in the next major version of npm.
This is normal. min-release-age will still work.
npm config set min-release-age 1 --location=userThis writes to ~/.npmrc. Use --location=global if you want it in the global npm config instead.
Put it in pnpm-workspace.yaml (this is the canonical place since pnpm 11; in earlier versions .npmrc also works):
minimumReleaseAge: 1440Optional, if you have internal packages you want to bypass the gate:
minimumReleaseAge: 1440
minimumReleaseAgeExclude:
- '@platformatic/*'If you're still on pnpm 10.x, the .npmrc form is:
minimum-release-age=1440Heads-up: on pnpm 10.x there's a known bug where minimumReleaseAge is silently ignored if any package in the workspace has shared-workspace-lockfile=false in its .npmrc (pnpm/pnpm#10008). Worth checking.
pnpm config set minimumReleaseAge 1440 --location=userOn pnpm 11+, non-auth settings like this go into ~/.config/pnpm/config.yaml rather than ~/.npmrc.
In .yarnrc.yml:
npmMinimalAgeGate: 1440If you have packages that must bypass the gate:
npmMinimalAgeGate: 1440
npmPreapprovedPackages:
- "@platformatic/*"npmPreapprovedPackages accepts both glob patterns and exact locators (e.g. @aws-sdk/types@3.877.0), which is more flexible than pnpm's package-name-only exclusions.
Note: the docs say you can use duration strings like "7d", but there's a known parsing bug (yarnpkg/berry#6991) where day suffixes were silently ignored. Until that's resolved everywhere, just use minutes as a number. Setting cooldown to 1 day = npmMinimalAgeGate: 1440.
yarn config set --home npmMinimalAgeGate 1440--home writes to ~/.yarnrc.yml instead of the project-local file.
Add the cooldown to bunfig.toml:
[install]
minimumReleaseAge = 86400The value is in seconds. Setting cooldown to 1 day = minimumReleaseAge = 86400.
If you have packages that must bypass the gate, use minimumReleaseAgeExcludes:
[install]
minimumReleaseAge = 86400
minimumReleaseAgeExcludes = ["@types/node", "typescript"]Bun doesn't yet support user-wide configuration, but there is an open PR for it (oven-sh/bun#28727). Once that gets merged, you can set your minimum release age locally with the same bunfig.toml you'd use in a repo.
The cooldown is enforced at install time, not at update-suggestion time. If you're using Renovate or Dependabot, configure their minimumReleaseAge / cooldown independently — otherwise they'll keep opening PRs you can't actually install. Renovate 42's config:best-practices preset already sets a 3-day default for npm; Dependabot's cooldown.default-days is the equivalent.
None of these tools currently let you scope the gate per registry, so internal packages from a private registry get held back along with everything else unless you put them in the exclusion list (npm doesn't have one yet — there's an open issue, npm/cli#8994).
The defaults will likely shift soon: pnpm 11 already turned this on by default at 1440 minutes, and npm CLI v12 is expected to do the same. Setting it explicitly now means your config keeps working unchanged when defaults move.