Comment by postalcoder
2 days ago
FYI, npm/bun/pnpm/uv now all support setting a minimum release age for packages.
I updated my global configs to set min release age to 7 days:
~/.config/uv/uv.toml
exclude-newer = "7 days"
~/.npmrc
min-release-age=7 # days
~/Library/Preferences/pnpm/rc
minimum-release-age=10080 # minutes
~/.bunfig.toml
[install]
minimumReleaseAge = 604800 # seconds
Do you know if there is override this specifically when I want to install a security patch? UV just claims that package doesn't exist if I ask for new version
Yes there is. You can use those configs as flags in the CLI to override the global config.
eg:
uv also has --exclude-newer-package which I think can be used for overriding just a certain package.
https://docs.astral.sh/uv/reference/cli/#uv-run--exclude-new... https://docs.astral.sh/uv/reference/settings/#exclude-newer-...
I understand that this is a good idea but it does feel really weird. Add a min-release-age to see if anyone who doesn't gets bitten.
Next up, we're going to advise a minimum-release-age of 14 days, cause most other projects use 7 days.
The minimum-release-age heuristic is certainly helpful as it theoretically gives the community a chance to identify the issue. Of course, in practice, these things aren't scanned or analyzed the way they should ideally be, which is a deeper issue. Pinning has definitely saved me on more than one occasion, but it doesn't strike at the root of the issue.
You don't have to outrun the bear, just the other guy.
Wouldn't this just be a case of the bear catching one guy and then catching the other guy (especially if the issue was unnoticed altogether after the set number of days)?
There will always be early adopters.
And maybe more importantly: security tools and researchers.
I don't think syntax is correct for pnpm
Works for me?
You could also set the config this way:
You may be thinking about the project-specific config, which uses YAML.
https://pnpm.io/cli/config