One line of config that blocks most npm supply-chain attacks
Malicious package versions are usually caught within days. pnpm's minimumReleaseAge makes you structurally immune to the window where they do damage.
Nearly every npm supply-chain incident follows the same timeline: a maintainer account gets compromised, a malicious version ships, and within hours to days it's detected and unpublished. The damage happens in that window — to the projects that installed immediately.
So don't install immediately.
# Only install package versions published at least 1 day ago
minimumReleaseAge: 1440That's it. pnpm will refuse any version younger than the cutoff and resolve to the newest mature version instead.
What it feels like in practice
The first install after enabling it is revealing — our freshly scaffolded lockfile contained 13 versions published within the previous week:
turbo@2.10.2 was published at 2026-06-30T16:23:30.000Z,
within the minimumReleaseAge cutoff
lucide-react@1.23.0 was published at 2026-07-01T14:05:26.000Z,
within the minimumReleaseAge cutoffOccasionally a package pins a range whose only satisfying version is too young; you widen the range one notch and move on. A small price for skipping the blast radius of the next compromised release.
The trade-off, stated honestly
Security fixes also wait out the window. If a critical CVE patch ships, you either wait a day or override consciously for that one package. We'll take that trade: attacks exploit the first hours, patches rarely can't wait one day.
Get the next one in your inbox
New articles, videos and the occasional engineering note — a short mail when there’s something worth reading, nothing else.