FYI, npm/bun/pnpm/uv now all support setting a minimum release age for packages....

montag · 2026-03-31T07:49:55 1774943395

Well this was prescient... https://news.ycombinator.com/item?id=47582220

exyi · 2026-03-25T09:30:42 1774431042

Do you know if there is override this specifically when I want to install a security patch? UV just claims that package doesn't exist if I ask for new version

postalcoder · 2026-03-25T09:43:57 1774431837

Yes there is. You can use those configs as flags in the CLI to override the global config.

eg:

  npm install <package> --min-release-age 0
  
  pnpm add <package> --minimum-release-age 0
  
  uv add <package> --exclude-newer "0 days"
  
  bun add <package> --minimum-release-age 0

collinmanderson · 2026-03-26T18:30:51 1774549851

uv also has --exclude-newer-package which I think can be used for overriding just a certain package.

https://docs.astral.sh/uv/reference/cli/#uv-run--exclude-new... https://docs.astral.sh/uv/reference/settings/#exclude-newer-...

jerrygoyal · 2026-03-25T06:57:26 1774421846

I don't think syntax is correct for pnpm

postalcoder · 2026-03-25T07:24:26 1774423466

Works for me?

  $ pnpm add -D [email protected]
   ERR_PNPM_NO_MATURE_MATCHING_VERSION  No matching version found for [email protected] published by Wed Mar 18 2026..

You could also set the config this way:

  pnpm config set minimumReleaseAge 10080 --global

You may be thinking about the project-specific config, which uses YAML.

https://pnpm.io/cli/config

tomtomtom777 · 2026-03-25T13:58:22 1774447102

I understand that this is a good idea but it does feel really weird. Add a min-release-age to see if anyone who doesn't gets bitten.

Next up, we're going to advise a minimum-release-age of 14 days, cause most other projects use 7 days.

bonoboTP · 2026-03-25T15:53:51 1774454031

You don't have to outrun the bear, just the other guy.

zar1048576 · 2026-03-26T23:22:50 1774567370

Wouldn't this just be a case of the bear catching one guy and then catching the other guy (especially if the issue was unnoticed altogether after the set number of days)?

zar1048576 · 2026-03-26T23:21:25 1774567285

The minimum-release-age heuristic is certainly helpful as it theoretically gives the community a chance to identify the issue. Of course, in practice, these things aren't scanned or analyzed the way they should ideally be, which is a deeper issue. Pinning has definitely saved me on more than one occasion, but it doesn't strike at the root of the issue.

talkin · 2026-03-25T18:37:12 1774463832

There will always be early adopters.

And maybe more importantly: security tools and researchers.