Tell package managers to not install too new packages

Published: 29/04/2026

Recently both the Python and JS/TS world was hit with supply chain attacks that publishes malicious versions of many popular packages. These includes, among others, Axios, Bitwarden CLI, and LiteLLM.

As these malicious versions are all detected and deleted after a few hours, a good band-aid solution would be to tell package managers to delay installing versions that are newer than some specified amount (the "dependency cooldown period"), and hope that automated scanning and other braver users would have already found the issue by then.

To configure:

• uv (since v0.9.17, December 2025)

~/.config/uv/uv.toml
exclude-newer = "2 days"

• pnpm (since v10.16, September 2025)

# pnpm config in minutes
pnpm config set minimumReleaseAge 2880

• npm (since v11.10, February 2026)

~/.npmrc
min-release-age=2
ignore-scripts=true

# alternative
npm config set min-release-age 2
npm config set ignore-scripts true

• pip (since v26.1, April 26, 2026)

~/.config/pip/pip.conf

[global]
uploaded-prior-to=P2D

# alternative
pip config set global.uploaded-prior-to P2D

I don't think a similar option exist for Go/Cargo/Gradle/Maven. A lot more information is included in this excellent blog post from Andrew Nesbitt.