{"id":31228145,"url":"https://github.com/johnjaider1000/ggpm","last_synced_at":"2026-04-29T20:33:18.800Z","repository":{"id":315158835,"uuid":"1058349466","full_name":"johnjaider1000/ggpm","owner":"johnjaider1000","description":"ggpm is a security-focused wrapper for JavaScript package managers (npm, yarn, pnpm, bun) that validates package age before installation. It prevents the installation of packages that are too recent, helping protect your projects from potentially unstable or malicious packages.","archived":false,"fork":false,"pushed_at":"2025-09-17T05:18:25.000Z","size":79,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-30T15:45:48.435Z","etag":null,"topics":["bun","ggpm","global-guardian-package-manager","npm","package-manager","pnpm","yarn"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/ggpm","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/johnjaider1000.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-17T01:18:09.000Z","updated_at":"2025-09-17T05:43:36.000Z","dependencies_parsed_at":"2025-09-17T03:25:40.808Z","dependency_job_id":"966944d9-ad02-43ec-8220-cf02f4a5f32c","html_url":"https://github.com/johnjaider1000/ggpm","commit_stats":null,"previous_names":["johnjaider1000/ggpm"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/johnjaider1000/ggpm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnjaider1000%2Fggpm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnjaider1000%2Fggpm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnjaider1000%2Fggpm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnjaider1000%2Fggpm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/johnjaider1000","download_url":"https://codeload.github.com/johnjaider1000/ggpm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnjaider1000%2Fggpm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32443555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T20:22:27.477Z","status":"ssl_error","status_checked_at":"2026-04-29T20:22:26.507Z","response_time":110,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bun","ggpm","global-guardian-package-manager","npm","package-manager","pnpm","yarn"],"created_at":"2025-09-22T05:13:03.880Z","updated_at":"2026-04-29T20:33:18.778Z","avatar_url":"https://github.com/johnjaider1000.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GGPM - Global Guardian Package Manager\n\n**GGPM** is a security-focused wrapper for JavaScript package managers (npm, yarn, pnpm, bun) that validates package age before installation. It prevents the installation of packages that are too recent, helping protect your projects from potentially unstable or malicious packages.\n\n## Installation\n\nInstall GGPM globally to use it as a wrapper for your package managers:\n\n```bash\nnpm install -g ggpm\n```\n\n## Features\n\n- **Package Age Validation**: Validates that packages meet minimum release age requirements before installation\n- **Multi-Package Manager Support**: Works with npm, yarn, pnpm, and bun\n- **Automatic Detection**: Intelligently detects which package manager to use based on lock files or available binaries\n- **Configurable Thresholds**: Set custom minimum release age via `.npmrc` configuration\n- **SOLID Architecture**: Built with clean, maintainable, and extensible TypeScript code\n- **CLI Compatibility**: Drop-in replacement for existing package manager commands\n\n## Usage\n\nAfter global installation, use GGPM commands instead of direct package manager commands:\n\n### Basic Commands\n```bash\n# General command (auto-detects package manager)\nggpm install lodash\n\n# Specific package manager wrappers\ngnpm install express\ngyarn add react\ngpnpm install vue\ngbun add svelte\n```\n\n### Configuration\n\nGGPM uses the standard `.npmrc` file for configuration. Create or update your `.npmrc` file in your project root to set the minimum package age (in days):\n\n```ini\n# Minimum release age in days\nminimum-release-age=7\n```\n\n**Configuration Options:**\n- `minimum-release-age`: Number of days a package must be published before allowing installation\n- Default value: **7 days** (if no `.npmrc` file is found)\n\n**Why 7 days by default?**\n- 🐛 **Bug Detection**: Critical bugs typically surface within 2-5 days\n- 🦠 **Security Issues**: Malware and typosquatting attacks are usually reported within 1-3 days\n- 🔍 **Community Review**: One week allows basic community vetting and feedback\n- ⚡ **Development Flow**: Short enough to not disrupt normal development workflows\n- 📊 **Industry Research**: Based on analysis of npm security incidents and disclosure timelines\n\n**Example configurations:**\n```ini\n# Development/Testing\nminimum-release-age=3\n\n# Production (recommended)\nminimum-release-age=14\n\n# Conservative production\nminimum-release-age=30\n\n# Enterprise/Critical systems\nminimum-release-age=90\n```\n 📝 These are just suggested values — choose what makes sense for your project, team, or risk tolerance.\n\n**Note:** The `.npmrc` file should be placed in your project root directory (same level as `package.json`).\n\n### Example Workflow\n```bash\n# This will validate that lodash is at least 7 days old before installing\nggpm install lodash\n\n# If the package is too recent, installation will be blocked\n# ❌ lodash@4.17.21 is too recent (3 days). Minimum required: 7 days\n# ❌ Installation blocked by packages that are too recent\n\n# If the package meets age requirements, installation proceeds normally\n# ✅ lodash meets the minimum age requirement\n# ✅ All packages are valid, proceeding with installation...\n```\n\n## Package Manager Detection Priority\n\n1. **Lock File Detection**: Checks for `pnpm-lock.yaml`, `yarn.lock`, or `bun.lockb`\n2. **Binary Availability**: Falls back to checking installed package managers\n3. **Default Fallback**: Uses npm if no other manager is detected\n\nFor `ggpm` command specifically, it defaults to `pnpm` if available, otherwise `npm`.\n\n## Architecture\n\nGGPM is built using SOLID principles with a modular architecture:\n\n- **PackageValidator**: Validates package ages against configuration\n- **PackageInfoFetcher**: Retrieves package metadata from npm registry\n- **ConfigurationReader**: Reads settings from `.npmrc`\n- **PackageManagerDetector**: Detects available package managers\n- **CommandMapper**: Maps CLI commands to appropriate package managers\n\n## Security Benefits\n\n- **Prevents Zero-Day Attacks**: Blocks installation of very recent packages that might contain malicious code\n- **Reduces Supply Chain Risk**: Ensures packages have been available for community review\n- **Configurable Security Posture**: Adjust minimum age based on your security requirements\n- **Transparent Operation**: Clear feedback on why packages are blocked or allowed\n\n## Contributing\n\nGGPM is built with TypeScript and follows SOLID principles. The codebase is modular and extensible, making it easy to add new features or package manager support.\n\n## License\n\nMIT License - see LICENSE file for details.\n\n## Support\n\nIf you encounter any issues or have questions about GGPM, please reach out:\n\n- **Email**: [contacto@starlly.com](mailto:contacto@starlly.com)\n- **GitHub Issues**: Submit bug reports and feature requests\n\n---\n\nMade with ❤️ in Colombia 🇨🇴\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnjaider1000%2Fggpm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjohnjaider1000%2Fggpm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnjaider1000%2Fggpm/lists"}