JSPM

age-install

0.1.1
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 4
  • Score
    100M100P100Q65146F
  • License MIT

Delay npm package installations until they reach a minimum age, protecting against supply chain attacks

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (age-install) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    age-install

    NPM version NPM downloads

    Because "trust me, it's fine" isn't a security strategy.

    Delay npm package installations until they reach a minimum age, protecting against supply chain attacks.

    The Problem

    Hackers love publishing malicious packages. You know what they love more? When those packages get taken down within an hour. So let's not install anything fresh out of the oven. Age-install waits until packages reach a certain age (in minutes) before letting them in.

    Installation

    npm install -g age-install

    Or ride the npx wave:

    npx age-install install react

    Quick Start

    # Install with age check (default: 1440 min minimum)
age-install install react lodash

# Check packages WITHOUT installing (generate report)
age-install check react lodash

# Check ALL dependencies in package.json
age-install check

# Add a package (like npm add, but safer)
age-install add typescript

# Bypass everything (you've been warned)
age-install install react --force

    Commands

    Command What it does
    install [pkgs] Install packages with safety checks
    add <pkgs> Add packages to package.json with safety checks
    check [pkgs] Check packages and generate report (no install)
    exec -- <cmd> Run any npm command (passthrough)
    cache Manage timestamp cache

    Options

    Flag What it does Default
    -m, --minimum-age <min> Minimum age in minutes before installing 1440
    -e, --exclude <pkg> Skip age check for these none
    -v, --verbose See what age-install is thinking false
    -f, --force Install without asking false
    -r, --report Save report to JSON file false
    --report-file <path> Custom report file path age-install-report-YYYY-MM-DD.json
    -c, --clear Clear the timestamp cache false
    -h, --help You're reading it -
    -V, --version Spoiler: still v0.1.0 -

    Configuration

    package.json

    {
  "ageInstall": {
    "minimumReleaseAge": 60,  // minutes
    "minimumReleaseAgeExclude": ["webpack", "vite"]
  }
}

    .npmrc

    age-install.minimumReleaseAge=60     # minutes
age-install.minimumReleaseAgeExclude=webpack,vite

    Environment

    AGE_INSTALL_MIN_AGE=60     # minutes
AGE_INSTALL_EXCLUDE=webpack,vite

    Priority: CLI args → Environment → Config file → Defaults

    Exclusion Patterns

    Not everything needs the waiting room:

    {
  "ageInstall": {
    "minimumReleaseAgeExclude": [
      "webpack",           // Exact match - webpack trusts webpack
      "@babel/core",      // Scoped packages work too
      "^eslint",           // Regex - matches eslint, eslint-config-*
      "@types/*"           // Wildcard - all @types/* get a pass
    ]
  }
}

    Check Command (Report Mode)

    The check command validates packages without installing. Perfect for CI/CD pipelines or auditing.

    # Check specific packages
age-install check react lodash express

# Check all deps in package.json
age-install check

# Generate report and save to JSON file
age-install check react lodash --report

# Custom report file path
age-install check --report --report-file ./my-report.json

    Example console output:

    📋 Checking 3 package(s)...

✅ Safe to install (old enough):
   - react@19.2.6 (207.8 hours old)
   - lodash@4.18.1 (1043.1 hours old)

⚠️  Too new (would be blocked):
   - express@5.0.0 (15 minutes old, min: 60 min)

⏭️  Excluded (no checks performed):
   - webpack

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Summary: 2 safe, 1 blocked, 1 excluded
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📄 Report saved to: age-install-report-2026-05-15.json

    Example JSON report file:

    {
  "generated": "2026-05-15T08:30:00.000Z",
  "minimumAge": 60,
  "source": "command-line",
  "summary": {
    "safe": 2,
    "blocked": 1,
    "excluded": 1,
    "total": 4
  },
  "safe": [
    {
      "name": "react",
      "version": "19.2.6",
      "fullSpec": "react@19.2.6",
      "ageMinutes": 12468,
      "timestamp": "2026-05-06T16:16:47.653Z"
    }
  ],
  "blocked": [
    {
      "name": "express",
      "version": "5.0.0",
      "fullSpec": "express@5.0.0",
      "ageMinutes": 15,
      "ageFormatted": "15 minutes",
      "timestamp": "2026-05-15T08:15:00.000Z"
    }
  ],
  "excluded": [
    { "name": "webpack" }
  ]
}

    Features

    • Scoped packages? Yup. @babel/core, @types/react, all good.
    • Version ranges? Bring it. react@^18, lodash@~4.17, express@^4.
    • Partial versions? We got you. express@^4 resolves to the real thing.
    • Zero dependencies? True story. Pure Node.js.
    • JSON reports? You bet. Perfect for CI/CD artifacts.

    Why Not Just Use pnpm?

    pnpm v10.16 added this natively. Nice, right? But what if you're already using npm? Or yarn? Age-install has your back across the ecosystem.

    About the Author

    Built by cinfinit who's tired of the "just installed a malicious package" Slack messages at 3 AM.

    This started as a "let's quickly check if any of our deps were published today" script and turned into this. If you find it useful, great. If not, at least you now know what minimumReleaseAge is for in pnpm.

    Made with: VS Code, 0 caffeine, and a healthy distrust of packages published in the last hour.