Stop Installing Packages the Second They're Published

We’ve all seen the recent attacks: axios, Next.js, TanStack.

I’m sure these won’t be the last. Thankfully, it seems many of these attacks were found within hours. And thanks to recent new tooling in every major JavaScript package manager, you can now set up a simple cooldown on new package versions.

(I’m assuming these changes came about because of the recent attacks?)

A Simple Fix: Set a Minimum Release Age

Every major JavaScript package manager now supports this. They all shipped the feature within six months of each other, but they also all chose different config names and different units.

Obviously, adding a minimum age isn't going to guarantee you're not impacted, but it's a baseline starting point for reducing the impact of new package versions.

Quick Reference

ManagerFileExample (3 days)
pnpmpnpm-workspace.yamlminimumReleaseAge: 4320
Yarn.yarnrc.ymlnpmMinimalAgeGate: "3d"
Bunbunfig.tomlminimumReleaseAge = 259200
npm.npmrcmin-release-age=3

Set it to 3–7 days, and move on.

Here are more details about how to set it up in each one.

pnpm

pnpm was first, shipping minimumReleaseAge in v10.16 (September 2025). As of pnpm 11, it defaults to 1 day. It’s the only package manager that enables this out of the box.

The value is in minutes.

pnpm-workspace.yaml
minimumReleaseAge: 10080 # 7 days
minimumReleaseAgeExclude: # if you want to exclude certain packages
  - '@yourorg/*'
  - webpack

pnpm docs →

Yarn

Yarn shipped npmMinimalAgeGate in v4.10.0 (September 2025). It supports both raw minutes and duration strings. The exclusion list (npmPreapprovedPackages) accepts glob patterns and exact locators, which is more flexible than pnpm’s package-name-only approach.

The value is in minutes or a duration string.

.yarnrc.yml
npmMinimalAgeGate: "7d"
npmPreapprovedPackages: # if you want to exclude certain packages
  - '@yourorg/*'
  - typescript

Yarn docs →

Bun

Bun added minimumReleaseAge in v1.3 (October 2025). Bun’s own repo uses it set to 3 days.

The value is in seconds.

bunfig.toml
[install]
minimumReleaseAge = 604800 # 7 days


# Packages that bypass the gate
minimumReleaseAgeExcludes = ["@types/bun", "typescript"]

Bun docs →

Some common days in seconds:

  • 604800 (7 days)
  • 259200 (3 days)
  • 86400 (1 day)

npm

npm shipped min-release-age in v11.10.0 (February 2026). It’s the simplest to configure but doesn’t yet have a built-in exclusion mechanism.

The value is in days.

.npmrc
min-release-age=7

npm docs →