Version maturity - the 'age' Marshall checks since package created. This feature is for new version published time difference. #311
Comments
|
Hi @robatwilliams, thanks for the idea but this is already implemented. See the README for 
That is relevant to the whole package time diff from being created (published for the first time). |
|
Yes, the age of the new version |
lirantal
changed the title
|
Ok. |
|
Hard to say. If it's too low then any package that's frequently releasing patches will always get a warning. But I don't think there always being a warning would be a new issue, as most packages already don't have a provenance statement. 7 days perhaps? It would almost effectively be 5 days if the publish was done just before the weekend, during which there is much less attention. |
Warn when the version being installed has only very recently been published. That would invite extra caution because scanners and the community may not yet have found any newly introduced issues.
Expected Behavior
Warning on the next line after "Checking package maturity" if published less than e.g. 1 day ago
Current Behavior
No change, only additional.
Possible Solution
The publish date is available in the package metadata (
npm info).Context
For example when node-ipc was compromised, there was a time window until the issue was identified, and if you happened to install during that window then you would have been impacted.
The counterpoint to this whole idea however is that if everyone holds off installing recently published versions, it could delay identification of security issues.
The text was updated successfully, but these errors were encountered: