{"id":32368948,"url":"https://github.com/josepderiu/npm-minimum-age-validation","last_synced_at":"2026-01-20T17:28:01.728Z","repository":{"id":318150468,"uuid":"1070091940","full_name":"josepderiu/npm-minimum-age-validation","owner":"josepderiu","description":"Validate npm package age to protect your supply chain from newly published packages. CLI tool for git hooks and CI/CD pipelines.","archived":false,"fork":false,"pushed_at":"2025-10-23T10:49:44.000Z","size":514,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-23T11:26:05.412Z","etag":null,"topics":["ci-cd","cli","dependency-management","devops","git-hooks","nodejs","npm","package-validator","security","supply-chain","supply-chain-security","typescript"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/@josepderiu/npm-minimum-age-validation","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/josepderiu.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-05T08:49:02.000Z","updated_at":"2025-10-23T10:49:46.000Z","dependencies_parsed_at":null,"dependency_job_id":"4891abc9-ddf3-432d-b050-4b1c67d4249c","html_url":"https://github.com/josepderiu/npm-minimum-age-validation","commit_stats":null,"previous_names":["josepderiu/npm-minimum-age-validation"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/josepderiu/npm-minimum-age-validation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josepderiu%2Fnpm-minimum-age-validation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josepderiu%2Fnpm-minimum-age-validation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josepderiu%2Fnpm-minimum-age-validation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josepderiu%2Fnpm-minimum-age-validation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/josepderiu","download_url":"https://codeload.github.com/josepderiu/npm-minimum-age-validation/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/josepderiu%2Fnpm-minimum-age-validation/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280857053,"owners_count":26403190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-24T02:00:06.418Z","response_time":73,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd","cli","dependency-management","devops","git-hooks","nodejs","npm","package-validator","security","supply-chain","supply-chain-security","typescript"],"created_at":"2025-10-24T19:36:38.197Z","updated_at":"2025-10-24T19:36:46.437Z","avatar_url":"https://github.com/josepderiu.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# npm-minimum-age-validation\n\n[![npm version](https://img.shields.io/npm/v/@josepderiu/npm-minimum-age-validation.svg?style=flat-square)](https://www.npmjs.com/package/@josepderiu/npm-minimum-age-validation)\n[![npm downloads](https://img.shields.io/npm/dm/@josepderiu/npm-minimum-age-validation.svg?style=flat-square)](https://www.npmjs.com/package/@josepderiu/npm-minimum-age-validation)\n[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/josepderiu/npm-minimum-age-validation/ci.yml?branch=main\u0026style=flat-square\u0026label=CI)](https://github.com/josepderiu/npm-minimum-age-validation/actions/workflows/ci.yml)\n[![codecov](https://img.shields.io/codecov/c/github/josepderiu/npm-minimum-age-validation?style=flat-square)](https://codecov.io/gh/josepderiu/npm-minimum-age-validation)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](https://opensource.org/licenses/MIT)\n[![Node.js Version](https://img.shields.io/badge/node-%3E%3D20.0.0-brightgreen?style=flat-square)](https://nodejs.org)\n\nValidate npm package age to protect your supply chain from very-new or unvetted packages.\n\nLightweight, fast, and configurable validator that can be used as a CLI (git/hooks / CI) or programmatically in Node.js projects.\n\n\u003e [!NOTE]\n\u003e This repository provides a library and CLI to enforce a minimum age (hours) for npm packages. It's intended for build/CI and pre-commit hooks to raise an early warning when recently published packages appear in your dependency set.\n\n## Key features\n\n- Detect changed/added packages from git diffs or lockfiles\n- Query npm registry with caching and concurrency controls\n- Configurable minimum age requirement (default: 24h)\n- Trusted package patterns (supports wildcards like `@org/*`)\n- Programmatic API and standalone CLI (`validate-packages`)\n- Fast, async logging with Pino\n\n## Requirements\n\n- **Node.js**: \u003e=20.0.0\n- **npm**: \u003e=9.0.0\n\nThis package requires Node.js 20 or higher to run. If you need support for older Node.js versions, please open an issue.\n\n## Install\n\nInstall from npm (scoped package):\n\n```bash\nnpm install @josepderiu/npm-minimum-age-validation --save-dev\n```\n\nYou can also use the CLI without installing by running it with npx:\n\n```bash\nnpx validate-packages validate\n```\n\n## Quick CLI usage\n\nThe package installs a bin named `validate-packages`.\n\n- Validate with defaults (24h minimum age):\n\n```bash\nnpx validate-packages validate\n```\n\n- Validate with custom minimum age (48 hours):\n\n```bash\nnpx validate-packages validate --min-age 48\n```\n\n- Generate a default configuration file:\n\n```bash\nnpx validate-packages config --output .npm-minimum-age-validation.json\n```\n\nCLI options (summary):\n\n- `-c, --config \u003cfile\u003e` — load configuration from file\n- `-a, --min-age \u003chours\u003e` — minimum package age in hours\n- `-t, --trusted \u003cpackages\u003e` — comma-separated trusted package patterns\n- `-f, --format \u003cformat\u003e` — output format (`console` | `json`)\n- `--no-cache` — disable registry response caching\n- `--dry-run` — run validation without blocking (useful for CI)\n- `--registry \u003curl\u003e` — override npm registry URL\n\n## Programmatic API\n\nUse the library inside your Node.js scripts or CI helpers.\n\n```ts\nimport { validatePackages, createDefaultConfig } from '@josepderiu/npm-minimum-age-validation';\n\nconst config = createDefaultConfig();\nconfig.minimumAgeHours = 48; // 48h minimum age\nconfig.trustedPackages = ['@my-org/*', '@types/*'];\n\nconst result = await validatePackages(config);\nif (!result.success) {\n  console.error(`${result.violations.length} packages too new`);\n  process.exit(1);\n}\n```\n\n## Configuration\n\nYou can generate a default configuration with the `config` CLI command or programmatically via `createDefaultConfig()`.\n\nCommon configuration options (high level):\n\n- `minimumAgeHours` (number) – minimum allowed age in hours for packages (defaults to 24)\n- `trustedPackages` (string[]) – package name patterns that are exempt from the age check\n- `registry` – registry configuration (url, concurrency, cacheEnabled)\n- `output` – output settings (format: `console`|`json`, verbose, logLevel)\n\n\u003e [!TIP]\n\u003e Use `--dry-run` in CI to surface warnings without failing a pipeline while you tune rules.\n\n## Output\n\nSupported formats: `console` (default) and `json`.\n\n- Console: human readable messages and per-violation lines when failures occur\n- JSON: machine-consumable object including summary and `violations[]` for easier automation\n\n## Development\n\nScripts are available via `package.json`:\n\n- `npm run build` — compile TypeScript to `dist/`\n- `npm test` — run unit tests with Jest\n- `npm run lint` — run ESLint\n- `npm run format` — run Prettier\n\nExample:\n\n```bash\n# install deps\nnpm ci\n\n# build and test\nnpm run build\nnpm test\n```\n\n## Contributing \u0026 Support\n\nContributions and bug reports are welcome. Please open issues or PRs on the repository.\n\n\u003e [!WARNING]\n\u003e This tool performs network requests to the npm registry. When used in CI, consider enabling or providing a registry cache and limiting concurrency to avoid throttling.\n\n## Security\n\nThis project is focused on supply-chain safety. It favors pinned dependencies and recommends running the `security:check-versions` npm script in CI to ensure devDependencies and dependencies are pinned.\n\n## Author\n\nJosep de Riu (\u003cjderiu@gmail.com\u003e)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjosepderiu%2Fnpm-minimum-age-validation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjosepderiu%2Fnpm-minimum-age-validation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjosepderiu%2Fnpm-minimum-age-validation/lists"}