NPM version 11.10.0 (Feb 2026) can now consider the relative age of a package before installing it through the introduction of a new min-release-age config flag.
Limiting package installation based on age is known as dependency cooldown, specifically useful as a low-effort defense to address the rise in supply chain attacks.
You can add the following to your user home directory, or per-project .npmrc file:
min-release-age=7or set it globally with:
npm config set min-release-age=7 --location=globalOn MacOS, the exact global path location depends on how you installed Node.js
- Homebrew:
/opt/homebrew/etc/npmrc(Apple Silicon) or/usr/local/etc/npmrc(Intel) - Node Official Installer:
/usr/local/etc/npmrc - NVM (Node Version Manager):
$HOME/.nvm/versions/node/v[version number]/etc/npmrc
Once set, in this example, NPM won’t install any package version that was released less than 7 days ago. A 7-day safety margin should help cover weekends and holidays when security responses might be slower.
Note: This previously could be accomplished using the before flag, but min-release-age allows using a constant relative date integer. As such, the two flags are mutually exclusive.
