Show HN: Safe-NPM – only install packages that are +90 days old

Summary

A security-focused npm installer that protects your projects from newly compromised packages. Why does this exist? Supply chain attacks on npm packages are a growing threat. Attackers sometimes compromise legitimate packages by: Stealing maintainer credentials Publishing malicious updates to popular packages Taking over abandoned packages These attacks often happen suddenly—a package that was safe yesterday might be compromised today. safe-npm protects you by only installing package versions that have been publicly available for a minimum amount of time (90 days by default). This gives the security community time to discover and report malicious releases before they reach your project. How it works When you run safe-npm install , it: Reads your dependencies from package.json or command-line arguments Queries the npm registry to find all available versions Filters out versions published more recently than your minimum age threshold Selects the newest version that meets both your semver requirements AND age requirements Installs the safe versions using npm For example, if you specify react@^18 and a malicious react@18.5.0 was published yesterday, safe-npm will install the latest version that's at least 90 days old instead. Installation Install from npm (recommended) # Install globally npm install -g @dendronhq/safe-npm # Now you can use it anywhere safe-npm install Build from source # Clone and build git clone < repository-url > cd safe-npm npm install npm run build # Link the binary globally npm link Basic usage Install dependencies from package.json # Use the minimum age of 90 days (default) safe-npm install # Or specify your own minimum age safe-npm install --min-age-days 120 Install specific packages # Install packages directly with version constraints safe-npm install react@^18 lodash@^4.17.0 # These will be filtered to only use versions at least 90 days old safe-npm install express --min-age-days 60 Dry run to see what would be installed # Preview which versions...