Show HN: DepsGuard – one command to harden NPM/pnpm/yarn/bun/uv configs

I kept seeing every npm/pnpm/yarn/bun/uv supply chain post end with the same advice (set a minimum release age, turn off install scripts), and while I know cooldowns are "controversial", they do work. But even if you convince people that they should set cooldowns, it seems many don't end up following through, not sure why, maybe because it means hand-editing five config files in five formats with five different time units, or perhaps the "it won't happen to me" syndrome (or "I'll do it later, it seems complicated" where it's actually very simple). So I created a tool that checks what you have set and fixes it for you. I looked for an existing one first and couldn't find it. It started as a small weekend project and turned into a small research project on the nuances of cooldowns across package managers. Not a proof of P vs NP, but a small convenience that can save you and your loved ones from the next supply chain attack. I've raised this in a couple of HN threads since (https://github.com/arnica/depsguard (full settings table and FAQ at depsguard.com)

Is this an overkill that could have been a shell script? Probably yes (but I wanted windows support, why not).

Did it save someone from a supply chain attack? Also probably yes.

Do I know personally someone that without it wouldn't have bothered changing their settings after repeatedly asking, but eventually did it when I gave them depsguard? Absolutely yes.