[zwily]

Even if everyone used it, the security scanners would still have time to do their static analysis of new packages. Basically, all the clients implementing a delay would create a de facto quarantine status for new packages so they can be examined before everyone starts installing them. (Why npm doesn't just implement that themselves, I do not know.)

[user3939382]

Then shouldn’t the analyzers just be part of NPMs acceptance requirements?

[_flux]

I think if they did it, then attackers would be able to iterate their attack against their own project, and once it passes the filters they could deploy for real.

I guess it could work better if it was enabled for only actual attack vectors projects.

[zwily]

That’s my point. For whatever reason, npm isn’t doing it. All npm users adding a minimum package age is kind of like doing it as a collective, without npm’s help.