npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

ggpm

v1.0.17

Published

Global guardian package manager

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jhonjaider1000jhonjaider1000

Keywords

ggpmglobal-guardian-package-managerpackage-managernpmpnpmyarnbunjs-utilscodebase-maintenancerelative-importsdev-toolsnode.jstypescript-utilities

Readme

GGPM - Global Guardian Package Manager

GGPM is a security-focused wrapper for JavaScript package managers (npm, yarn, pnpm, bun) that validates package age before installation. It prevents the installation of packages that are too recent, helping protect your projects from potentially unstable or malicious packages.

Installation

Install GGPM globally to use it as a wrapper for your package managers:

npm install -g ggpm

Features

  • Package Age Validation: Validates that packages meet minimum release age requirements before installation
  • Multi-Package Manager Support: Works with npm, yarn, pnpm, and bun
  • Automatic Detection: Intelligently detects which package manager to use based on lock files or available binaries
  • Configurable Thresholds: Set custom minimum release age via .npmrc configuration
  • SOLID Architecture: Built with clean, maintainable, and extensible TypeScript code
  • CLI Compatibility: Drop-in replacement for existing package manager commands

Usage

After global installation, use GGPM commands instead of direct package manager commands:

Basic Commands

# General command (auto-detects package manager)
ggpm install lodash

# Specific package manager wrappers
gnpm install express
gyarn add react
gpnpm install vue
gbun add svelte

Configuration

GGPM uses the standard .npmrc file for configuration. Create or update your .npmrc file in your project root to set the minimum package age (in days):

# Minimum release age in days
minimum-release-age=7

Configuration Options:

  • minimum-release-age: Number of days a package must be published before allowing installation
  • Default value: 7 days (if no .npmrc file is found)

Why 7 days by default?

  • 🐛 Bug Detection: Critical bugs typically surface within 2-5 days
  • 🦠 Security Issues: Malware and typosquatting attacks are usually reported within 1-3 days
  • 🔍 Community Review: One week allows basic community vetting and feedback
  • Development Flow: Short enough to not disrupt normal development workflows
  • 📊 Industry Research: Based on analysis of npm security incidents and disclosure timelines

Example configurations:

# Development/Testing
minimum-release-age=3

# Production (recommended)
minimum-release-age=14

# Conservative production
minimum-release-age=30

# Enterprise/Critical systems
minimum-release-age=90

📝 These are just suggested values — choose what makes sense for your project, team, or risk tolerance.

Note: The .npmrc file should be placed in your project root directory (same level as package.json).

Example Workflow

# This will validate that lodash is at least 7 days old before installing
ggpm install lodash

# If the package is too recent, installation will be blocked
# ❌ [email protected] is too recent (3 days). Minimum required: 7 days
# ❌ Installation blocked by packages that are too recent

# If the package meets age requirements, installation proceeds normally
# ✅ lodash meets the minimum age requirement
# ✅ All packages are valid, proceeding with installation...

Package Manager Detection Priority

  1. Lock File Detection: Checks for pnpm-lock.yaml, yarn.lock, or bun.lockb
  2. Binary Availability: Falls back to checking installed package managers
  3. Default Fallback: Uses npm if no other manager is detected

For ggpm command specifically, it defaults to pnpm if available, otherwise npm.

Architecture

GGPM is built using SOLID principles with a modular architecture:

  • PackageValidator: Validates package ages against configuration
  • PackageInfoFetcher: Retrieves package metadata from npm registry
  • ConfigurationReader: Reads settings from .npmrc
  • PackageManagerDetector: Detects available package managers
  • CommandMapper: Maps CLI commands to appropriate package managers

Security Benefits

  • Prevents Zero-Day Attacks: Blocks installation of very recent packages that might contain malicious code
  • Reduces Supply Chain Risk: Ensures packages have been available for community review
  • Configurable Security Posture: Adjust minimum age based on your security requirements
  • Transparent Operation: Clear feedback on why packages are blocked or allowed

Contributing

GGPM is built with TypeScript and follows SOLID principles. The codebase is modular and extensible, making it easy to add new features or package manager support.

License

MIT License - see LICENSE file for details.

Support

If you encounter any issues or have questions about GGPM, please reach out:

Made with ❤️ in Colombia 🇨🇴