Comment by 10000truths

What I'm saying is that the policy should be enforced server-side. So you block the npm registry in the company firewall, and set up a company-specific registry that acts as a blessed proxy to the npm registry but enforces your desired policies. For example, if you configure your registry to refuse to pull packages published less than a week ago, then it doesn't matter if a client disables dependency cooldowns in their npm config - they still won't be able to "npm install totally-new-not-a-virus-pkg".

People can still bypass these measures if they're determined enough (offline package installs, vendoring dependencies, etc.) but making circumvention impossible to do accidentally and inconvenient to do deliberately solves the problem 99% of the way.