Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
In light of the recent cline2.3 injection attack I would like to propose that the default of "min-release-age" be set to seven days.
(see: GHSA-9ppg-jx86-fqw7
and: https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another )
Per https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns the majority of compromised/malicious NPM packages are detected and remediated within hours or a small number of days.
While anyone can set that number to whatever they want, I believe that defaulting min-release-age to a generous safety margin would effectively mitigate a great deal of ecosystem risk at negligible cost.
Expected Behavior
No response
Steps To Reproduce
No response
Environment
No response
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
In light of the recent cline2.3 injection attack I would like to propose that the default of "min-release-age" be set to seven days.
(see: GHSA-9ppg-jx86-fqw7
and: https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another )
Per https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns the majority of compromised/malicious NPM packages are detected and remediated within hours or a small number of days.
While anyone can set that number to whatever they want, I believe that defaulting min-release-age to a generous safety margin would effectively mitigate a great deal of ecosystem risk at negligible cost.
Expected Behavior
No response
Steps To Reproduce
No response
Environment
No response