You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: enable default minimum dependency age (#35458)
Enables a minimum dependency age by default so npm version resolution
skips releases published within the last 24 hours (1440 minutes) when nothing
else is configured. This adds a small cooldown that mitigates installing a
freshly published, potentially compromised version the moment it lands.
The default sits at the bottom of the existing precedence chain, so it
only applies when no age is set anywhere else. Resolution order is: the CLI
flag, then `minimumDependencyAge` in `deno.json`, then `min-release-age` in
`.npmrc`, then the `NPM_CONFIG_MIN_RELEASE_AGE` /
`npm_config_min_release_age` environment variables, and finally the 1440 minute default.
`NPM_CONFIG_MIN_RELEASE_AGE` is now read as an npm-style fallback for
`min-release-age`, with an explicit `.npmrc` value still taking
precedence over it.
A numeric `0` (and `false`) for `minimumDependencyAge` now disables the
filter, matching the existing string `"0"` behavior and avoiding
surprises when a user's clock is off.
Because the default is opt-out, the shared local npm fixture test
environments set `NPM_CONFIG_MIN_RELEASE_AGE=0` so existing specs keep resolving the
latest fixture versions. The new integration tests remove that override to
cover the real product default, the explicit-disable path, and the env var
fallback.
---------
Co-authored-by: Nathan Whitaker <nathan@deno.com>
0 commit comments