JSPM

verdaccio-age-gate

1.0.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 5
  • Score
    100M100P100Q62012F
  • License MIT

Verdaccio middleware that blocks npm packages published less than N days ago, reducing supply-chain attack risk.

Package Exports

  • verdaccio-age-gate
  • verdaccio-age-gate/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (verdaccio-age-gate) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

verdaccio-age-gate

Verdaccio middleware that blocks npm packages published less than N days ago, reducing supply-chain attack risk.

When a package version is published to npm, it takes time for the community to notice malicious code. This plugin enforces a configurable delay before new package versions are served through your Verdaccio registry.

Installation

npm install verdaccio-age-gate

Configuration

Add to your config.yaml:

middlewares:
  audit:
    enabled: true
  age-gate:
    enabled: true
    min_age_days: 14   # default: 14

How it works

For each package metadata request, the middleware inspects the time field in the npm registry response and removes any version published less than min_age_days days ago. If all versions of a package are too new, the request returns a 404 with a clear error message.

Tarballs (.tgz) are not intercepted — only JSON metadata requests, so the performance overhead is minimal.

Example error

{
  "error": "All versions of some-package are newer than 14 days and blocked by age-gate policy."
}

License

MIT