Exactly this. For anyone who wants to do it for various package managers:
reply ~/.npmrc:
min-release-age=7 (npm 11.10+)
~/Library/Preferences/pnpm/rc:
minimum-release-age=10080 (minutes)
~/.bunfig.toml
[install]:
minimumReleaseAge = 604800 (seconds)
(plug: released a small CLI to auto-configure these — https://depsguard.com — I tried to find something that will help non developers quickly apply recommended settings, and couldn't find one)
reply
Love it, I'll link to it!
replyThat is why we have discussions like these:
https://x.com/i/status/2039099810943304073
replyX is the worst place to hold community discussions.
replyI am not sure that works - imagine that the next shellshock had been found. Would you want to wait 7 days to update?
replyWe need to either screen everybody or cut of countries like North Korea and Iran from the Internet.
These vulnerabilities are all caught by scanners and the packages are taken down 2-3 hours after going live. Nothing needs to take 7 days, that's just a recommendation. But maybe all packages should be scanned, which apparently only takes a couple of hours, before going live to users?
replyShellshock was in 2014 and Log4Shell was 2021. It's far more likely that you're going to get pwned by using a too-recent unreviewed malicious package than to be unknowingly missing a security update that keeps you vulnerable to easy RCEs. And if such a big RCE vuln happens again, you're likely to hear about it and you can whitelist the update.
reply