npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

age-install

v0.1.1

Published

Delay npm package installations until they reach a minimum age, protecting against supply chain attacks

Downloads

34

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cinfinitcinfinit

Keywords

npmsecuritysupply-chaindelayed-dependenciespackage-securitydependency-safetymalicious-packagesinstall-safeci-cdaudit

Readme

age-install

NPM version NPM downloads

Because "trust me, it's fine" isn't a security strategy.

Delay npm package installations until they reach a minimum age, protecting against supply chain attacks.

The Problem

Hackers love publishing malicious packages. You know what they love more? When those packages get taken down within an hour. So let's not install anything fresh out of the oven. Age-install waits until packages reach a certain age (in minutes) before letting them in.

Installation

npm install -g age-install

Or ride the npx wave:

npx age-install install react

Quick Start

# Install with age check (default: 1440 min minimum)
age-install install react lodash

# Check packages WITHOUT installing (generate report)
age-install check react lodash

# Check ALL dependencies in package.json
age-install check

# Add a package (like npm add, but safer)
age-install add typescript

# Bypass everything (you've been warned)
age-install install react --force

Commands

| Command | What it does | |---------|-------------| | install [pkgs] | Install packages with safety checks | | add <pkgs> | Add packages to package.json with safety checks | | check [pkgs] | Check packages and generate report (no install) | | exec -- <cmd> | Run any npm command (passthrough) | | cache | Manage timestamp cache |

Options

| Flag | What it does | Default | |------|-------------|---------| | -m, --minimum-age <min> | Minimum age in minutes before installing | 1440 | | -e, --exclude <pkg> | Skip age check for these | none | | -v, --verbose | See what age-install is thinking | false | | -f, --force | Install without asking | false | | -r, --report | Save report to JSON file | false | | --report-file <path> | Custom report file path | age-install-report-YYYY-MM-DD.json | | -c, --clear | Clear the timestamp cache | false | | -h, --help | You're reading it | - | | -V, --version | Spoiler: still v0.1.0 | - |

Configuration

package.json

{
  "ageInstall": {
    "minimumReleaseAge": 60,  // minutes
    "minimumReleaseAgeExclude": ["webpack", "vite"]
  }
}

.npmrc

age-install.minimumReleaseAge=60     # minutes
age-install.minimumReleaseAgeExclude=webpack,vite

Environment

AGE_INSTALL_MIN_AGE=60     # minutes
AGE_INSTALL_EXCLUDE=webpack,vite

Priority: CLI args → Environment → Config file → Defaults

Exclusion Patterns

Not everything needs the waiting room:

{
  "ageInstall": {
    "minimumReleaseAgeExclude": [
      "webpack",           // Exact match - webpack trusts webpack
      "@babel/core",      // Scoped packages work too
      "^eslint",           // Regex - matches eslint, eslint-config-*
      "@types/*"           // Wildcard - all @types/* get a pass
    ]
  }
}

Check Command (Report Mode)

The check command validates packages without installing. Perfect for CI/CD pipelines or auditing.

# Check specific packages
age-install check react lodash express

# Check all deps in package.json
age-install check

# Generate report and save to JSON file
age-install check react lodash --report

# Custom report file path
age-install check --report --report-file ./my-report.json

Example console output:

📋 Checking 3 package(s)...

✅ Safe to install (old enough):
   - [email protected] (207.8 hours old)
   - [email protected] (1043.1 hours old)

⚠️  Too new (would be blocked):
   - [email protected] (15 minutes old, min: 60 min)

⏭️  Excluded (no checks performed):
   - webpack

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Summary: 2 safe, 1 blocked, 1 excluded
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📄 Report saved to: age-install-report-2026-05-15.json

Example JSON report file:

{
  "generated": "2026-05-15T08:30:00.000Z",
  "minimumAge": 60,
  "source": "command-line",
  "summary": {
    "safe": 2,
    "blocked": 1,
    "excluded": 1,
    "total": 4
  },
  "safe": [
    {
      "name": "react",
      "version": "19.2.6",
      "fullSpec": "[email protected]",
      "ageMinutes": 12468,
      "timestamp": "2026-05-06T16:16:47.653Z"
    }
  ],
  "blocked": [
    {
      "name": "express",
      "version": "5.0.0",
      "fullSpec": "[email protected]",
      "ageMinutes": 15,
      "ageFormatted": "15 minutes",
      "timestamp": "2026-05-15T08:15:00.000Z"
    }
  ],
  "excluded": [
    { "name": "webpack" }
  ]
}

Features

  • Scoped packages? Yup. @babel/core, @types/react, all good.
  • Version ranges? Bring it. react@^18, lodash@~4.17, express@^4.
  • Partial versions? We got you. express@^4 resolves to the real thing.
  • Zero dependencies? True story. Pure Node.js.
  • JSON reports? You bet. Perfect for CI/CD artifacts.

Why Not Just Use pnpm?

pnpm v10.16 added this natively. Nice, right? But what if you're already using npm? Or yarn? Age-install has your back across the ecosystem.

About the Author

Built by cinfinit who's tired of the "just installed a malicious package" Slack messages at 3 AM.

This started as a "let's quickly check if any of our deps were published today" script and turned into this. If you find it useful, great. If not, at least you now know what minimumReleaseAge is for in pnpm.

Made with: VS Code, 0 caffeine, and a healthy distrust of packages published in the last hour.