I happened to look into this recently while reading about supply chain attacks, so I figured I might as well put together a detailed list of which versions/pull requests introduced these settings for each package manager.
npm
Available starting npm v11.10.0. The unit is days.
.npmrc
min-release-age=7yarn
Available starting yarn v4.10.0. The unit is minutes.
- Release v4.10.0 · yarnpkg/berry
- feat: implement
npmMinimalAgeGateandnpmPreapprovedPackagesconfig options by bienzaaron · Pull Request #6901 · yarnpkg/berry
.yarnrc.yml
npmMinimalAgeGate: 10080Starting yarn v4.11.0, string values are also supported.
- Release v4.11.0 · yarnpkg/berry
- Core: Create DURATION settings type by clemyan · Pull Request #6942 · yarnpkg/berry
.yarnrc.yml
npmMinimalAgeGate: "7d"pnpm
Available starting pnpm v10.16. The unit is minutes.
- Release pnpm 10.16 · pnpm/pnpm
- feat: set minimumReleaseAge to delay new versions of dependencies from being installed by zkochan · Pull Request #9957 · pnpm/pnpm
pnpm-workspace.yaml
minimumReleaseAge: 10080bun
Available starting bun v1.3. The unit is seconds.
- Bun 1.3 | Bun Blog
- Release Bun v1.3 · oven-sh/bun
- bun install: support for
minimumReleaseAgeby RiskyMH · Pull Request #22801 · oven-sh/bun
bunfig.toml
[install]
minimumReleaseAge = 604800deno
Available starting deno v2.5.5. The unit is minutes.
String values are also supported (ISO 8601 or RFC3339 format).
- Release v2.5.5 · denoland/deno
- feat(unstable): ability to only install dependencies older than a certain date by dsherret · Pull Request #30752 · denoland/deno
- feat(unstable): ability to specify minimum dependency age in deno.json file by dsherret · Pull Request #31007 · denoland/deno
deno.json
{
"minimumDependencyAge": 10080
}deno.json
{
"minimumDependencyAge": "P7D"
}