NPM.Security.Age (NPM v0.7.0)

Copy Markdown View Source

Heuristics for recently created packages and freshly published versions.

Very new packages and versions are not automatically malicious, but recent publication is a useful supply-chain risk signal. The default policy only warns: packages created in the last 7 days and versions published in the last 3 days are flagged when registry metadata includes timestamps.

Summary

Types

warning()

Functions

format(name, version, map)

Format an age warning for display.

warnings(info)

Return age warnings for package/version metadata.

Types

warning()

@type warning() :: %{
  type: :new_package | :new_version,
  age_days: non_neg_integer(),
  threshold_days: non_neg_integer()
}

Functions

format(name, version, map)

@spec format(String.t(), String.t(), warning()) :: String.t()

Format an age warning for display.

warnings(info)

@spec warnings(map()) :: [warning()]

Return age warnings for package/version metadata.