[tjansen]

I wonder whether there is any tool that can prevent npm from downloading any package that has been published in the last month. While I miss out on possible fixes, this would prevent downloading some 3rd level dep that takes over my machine.

[backwardsponcho]

NPM seems to have introduced the flag `minimumReleaseAge` for this exact purpose. However even though are many recent references to it[0][1][2] I don't see it anywhere in the NPM documentation.

[0] https://news.ycombinator.com/item?id=47513932

[1] https://github.com/npm/cli/issues/8570

[2] https://socket.dev/blog/npm-introduces-minimumreleaseage-and...

[lmiller1990]

pnpm has this, I think others may also have something similar.

https://pnpm.io/settings#minimumreleaseage

[janekies]

pnpm has added a new setting, minimumReleaseAge, enabled by default, just to try to mitigate these issues.