Because there's no guide on how each package manager sets their minimumReleaseAge and every package manager uses a different format... (can we please get a standards committee going for security-related configs like these?)

Note: unless otherwise specified, X is a number ONLY. No date units (don't specify 7d or 1440m. Your config will error.)

And for the love of your favourite deity, remove all carets (^) from your package.json unless you know what you are doing. Always pin to exact versions (there should be no special characters in front of your version number)

• npm: In .npmrc, min-release-age=X. X is the number of days. Requires npm v11.10.0 or above.

• pnpm: In pnpm-workspace.yaml, set minimumReleaseAge: X. X is the number of minutes. Requires pnpm v10.16.0 or above. From v11 onwards, the default is 1440 minutes (1 day)

• Yarn: In .yarnrc.yml, set npmMinimalAgeGate: X. X is a duration (date units supported are ms, s, m, h, d, w, e.g. 7d). If no duration is specified, then it is parsed as minutes (i.e. npmMinimalAgeGate: 1440 is equal to npmMinimalAgeGate: 1440m). Requires Yarn v4.11 or above (Yarn v4.10 also has the option, but only supported minutes as a raw number)

• Deno: In deno.json, set "minimumDependencyAge": "X". X can be a number in minutes, a ISO-8601 Duration or a RFC3339 absolute timestamp (basically anything that looks like a date; if you are in Freedom Country remember to swap the month and the date) Requires Deno v2.6.0 or above.

• Bun: In bunfig.toml, set:

    [install]
  
    minimumReleaseAge = X
  

X is the number of seconds. Requires Bun v1.3.0 or above.

ES2025 is out, ES2026 is close. Here is the new feature of Javascript we can use today, what is coming next

A minimal *Node.js *wrapper around ClamAV that scans any file and returns a typed Verdict Symbol:

• Verdict.Clean
• Verdict.Malicious
• Verdict.ScanError

Zero runtime dependencies. No daemon. No cloud. No native bindings. Works locally via clamscan or remotely via clamd TCP socket (Docker-friendly).

npm install pompelmi

Repo: https://github.com/pompelmi/pompelmi Issues, PRs, and stars all welcome — it's how open source stays alive.

Yesterday the axios package was compromised on npm. An attacker hijacked a maintainer account, published two malicious versions that bundled a remote access trojan through a staged dependency called plain-crypto-js, and the versions were live for two to three hours before npm pulled them. Axios gets 83 million weekly downloads. This keeps happening over and over and over and the post-incident conversation always goes the same way: was the maintainer using MFA, should the registry have caught it faster, should people be running more scanners. None of that gets at why JavaScript keeps having these incidents at a rate no other ecosystem comes close to matching. The npm client’s defaults actively enable the attacks and have done for years.

TLDR; I’ve been experimenting with react-like jsx-syntax with webcomponents to see if I could theoretically replace React in one of my projects. It is not ready for production use, but rather an exploration into CustomElements and modern browser capabilities.

https://github.com/positive-intentions/dim

The goal was to build functional Web Components that handle state management and DOM updates without the overhead of a massive JavaScript framework. By leveraging standard Web APIs and Proxy objects, I’ve managed to create a reactive programming model that feels familiar—using JSX—but stays much closer to the browser platform.

I wanted to see how far i could take web components before the architecture broke down. If you’re interested in frontend software engineering or web standards, you might find the logic behind the updates (which avoid a traditional virtual DOM) interesting.

Full technical tutorial and deep dive: https://positive-intentions.com/docs/research/Tutorials/dim/dim-functional-webcomponents

Disclaimer: This project is not ready for production use. In fact, this project may be getting deprecated soon, but I’m sharing it because the unique details into custom elements and modern JavaScript performance might be interesting or educational for others exploring the web platform.