Because there's no guide on how each package manager sets their minimumReleaseAge and every package manager uses a different format... (can we please get a standards committee going for security-related configs like these?)
Note: unless otherwise specified, X is a number ONLY. No date units (don't specify 7d or 1440m. Your config will error.)
And for the love of your favourite deity, remove all carets (^) from your package.json unless you know what you are doing. Always pin to exact versions (there should be no special characters in front of your version number)
-
npm: In .npmrc, min-release-age=X. X is the number of days. Requires npm v11.10.0 or above.
-
pnpm: In pnpm-workspace.yaml, set minimumReleaseAge: X. X is the number of minutes. Requires pnpm v10.16.0 or above. From v11 onwards, the default is 1440 minutes (1 day)
-
Yarn: In .yarnrc.yml, set npmMinimalAgeGate: X. X is a duration (date units supported are ms, s, m, h, d, w, e.g. 7d). If no duration is specified, then it is parsed as minutes (i.e. npmMinimalAgeGate: 1440 is equal to npmMinimalAgeGate: 1440m). Requires Yarn v4.11 or above (Yarn v4.10 also has the option, but only supported minutes as a raw number)
-
Deno: In deno.json, set "minimumDependencyAge": "X". X can be a number in minutes, a ISO-8601 Duration or a RFC3339 absolute timestamp (basically anything that looks like a date; if you are in Freedom Country remember to swap the month and the date) Requires Deno v2.6.0 or above.
-
Bun: In bunfig.toml, set:
[install]
minimumReleaseAge = X
X is the number of seconds. Requires Bun v1.3.0 or above.