[tobyhinloopen]

Min Release Age of 7-30 days covers the majority of potential issues with 0 effort.

All major Node package managers should support it by now.

Prom was the best IIRC, yarn second, but even npm is catching up

[bitmasher9]

We’re using an internal package repository that acts as a gateway to the public package repositories, except it can have custom rules such as “min release age 30 days”, and can also give logs about which projects have actually downloaded a specific version.

It’s so much overhead and auditing to enforce compliance across the thousands of node microservices though.

[tobyhinloopen]

That’s a great idea. Maybe use Claude Code with some owasp knowledge to sweep through them and see if there’s anything obvious?