Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

FYI, npm/bun/pnpm/uv now all support setting a minimum release age for packages.

I updated my global configs to set min release age to 7 days:

  ~/.config/uv/uv.toml
  exclude-newer = "7 days"
  
  ~/.npmrc
  min-release-age=7 # days
  
  ~/Library/Preferences/pnpm/rc
  minimum-release-age=10080 # minutes
  
  ~/.bunfig.toml
  [install]
  minimumReleaseAge = 604800 # seconds


Well this was prescient... https://news.ycombinator.com/item?id=47582220


Do you know if there is override this specifically when I want to install a security patch? UV just claims that package doesn't exist if I ask for new version


Yes there is. You can use those configs as flags in the CLI to override the global config.

eg:

  npm install <package> --min-release-age 0
  
  pnpm add <package> --minimum-release-age 0
  
  uv add <package> --exclude-newer "0 days"
  
  bun add <package> --minimum-release-age 0


Note pnpm does not have this flag yet, please upvote this issue if you want it added: https://github.com/pnpm/pnpm/issues/11224

Currently pnpm only supports setting this option via persistent config file, not per-run.


uv also has --exclude-newer-package which I think can be used for overriding just a certain package.

https://docs.astral.sh/uv/reference/cli/#uv-run--exclude-new... https://docs.astral.sh/uv/reference/settings/#exclude-newer-...


I don't think syntax is correct for pnpm


Works for me?

  $ pnpm add -D typescript@6.0.2
   ERR_PNPM_NO_MATURE_MATCHING_VERSION  No matching version found for typescript@6.0.2 published by Wed Mar 18 2026..
You could also set the config this way:

  pnpm config set minimumReleaseAge 10080 --global
You may be thinking about the project-specific config, which uses YAML.

https://pnpm.io/cli/config


I understand that this is a good idea but it does feel really weird. Add a min-release-age to see if anyone who doesn't gets bitten.

Next up, we're going to advise a minimum-release-age of 14 days, cause most other projects use 7 days.


You don't have to outrun the bear, just the other guy.


Wouldn't this just be a case of the bear catching one guy and then catching the other guy (especially if the issue was unnoticed altogether after the set number of days)?


The minimum-release-age heuristic is certainly helpful as it theoretically gives the community a chance to identify the issue. Of course, in practice, these things aren't scanned or analyzed the way they should ideally be, which is a deeper issue. Pinning has definitely saved me on more than one occasion, but it doesn't strike at the root of the issue.


There will always be early adopters.

And maybe more importantly: security tools and researchers.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: