Protect Dependency Installs from Supply-Chain Attacks with a Release-Age Buffer

After the litellm incident on PyPI, and then axios on npm, I came across this trick on Twitter: configure your package manager to reject dependency releases that are too new.

`uv`

# ~/.config/uv/uv.toml
exclude-newer = "7 days"

`npm`

# ~/.npmrc
min-release-age=7 # days
ignore-scripts=true

`bun`

# ~/.bunfig.toml
[install]
minimumReleaseAge = 604800 # seconds

References

TIL: uv settings after litellm

uv

npm

bun

Related Notes

References

`uv`

`npm`

`bun`