Dependency cooldown (minimum release age)
A dependency cooldown, also called a minimum release age, tells your package manager to ignore brand-new package versions until they have been public for a set number of days. It is one of the most effective defenses against fast-moving npm supply chain attacks.
What is a dependency cooldown?
When an attacker compromises a maintainer account and publishes a poisoned version of a popular package, that version is usually live for only a few hours before the community, registry, or automated scanners catch it and pull it. A cooldown turns that short detection window into your defense: if your package manager refuses to install any version younger than, say, 7 days, the malicious release is removed long before your build would ever resolve it.
The setting goes by different names depending on the tool: min-release-age (npm),
minimumReleaseAge (pnpm), and npmMinimalAgeGate (Yarn). The idea is the
same: delay new versions, install only what has had time to be vetted.
Turn it on
The exact key, file, and minimum tool version differ per package manager. Here are the settings DepsGuard recommends and can apply for you.
npm
Add to your .npmrc (requires npm ≥ 11.10; the value is in days):
min-release-age=7pnpm
Since pnpm 11.0, pnpm enables a cooldown by default: minimumReleaseAge defaults to 1440 minutes
(24 hours). That is a good baseline, and DepsGuard recommends raising it to 7 days (10080 minutes). The value
is in minutes, and where it lives depends on your pnpm version (the setting needs pnpm
≥ 10.16):
| pnpm version | File | Setting |
|---|---|---|
| 10.16 to 10.x | .npmrc |
minimum-release-age=10080 |
| ≥ 10.16 (project) | pnpm-workspace.yaml |
minimumReleaseAge: 10080 |
| ≥ 11 (global) | config.yaml |
minimumReleaseAge: 10080 |
.npmrc for these keys, so use
pnpm-workspace.yaml (per project) or the global config.yaml with the camelCase key.
Yarn
Yarn Berry exposes the cooldown as npmMinimalAgeGate in .yarnrc.yml. Yarn 4.10+
ships it enabled by default; older 4.x releases let you set it explicitly:
npmMinimalAgeGate: 7dPython
DepsGuard also scans the Python managers that expose a release-age cooldown as a persistent config setting:
uv (exclude-newer), pip (uploaded-prior-to, pip ≥ 26.1),
and poetry (solver.min-release-age, poetry ≥ 2.4). Tools like pdm,
conda, pixi, pipenv, and hatch do not expose a persistent
cooldown setting yet.
Why a cooldown works
Real supply chain incidents have been live for remarkably short windows before being yanked:
- axios: malicious versions live for roughly 3 hours (March 2026).
- TanStack Router/Start: detected within minutes, deprecated within ~1.5 hours (May 2026).
ua-parser-js: compromised for about 4 hours (October 2021).
A 7-day cooldown skips all of these. The asymmetry favors you: an attacker cannot easily keep a malicious version live for days without sharply raising the odds of detection.
Let DepsGuard set it up
DepsGuard detects which package managers you have installed, checks whether a cooldown is configured (and whether your tool version supports it), and applies the right setting in the right file, with a diff preview and a backup before any change.
Limitations
A cooldown is not a complete defense. It does not help against a compromise that goes undetected for longer than your quarantine window, against typosquatting, or against attacks that do not involve publishing a new version. Pair it with install-script blocking and the other settings in the hardening guide. If you must pull a fresh security patch that is still inside the cooldown, add a narrow, per-package exception rather than lowering the global delay.