Are there any package managers that have something like a min-age setting. To ignore all packages that were published less than 24 or 36 hours ago?

I’ve run into similar issues before, some package update that broke everything, only to get pulled/patched a few hours later.

GitHub dependabot just got this very recently: https://github.blog/changelog/2025-07-01-dependabot-supports...

Not a package manager, but Renovate bot has a setting like that (minimumReleaseAge). Dependabot does not (Edit: does now).

So while your package manager will install whatever is newest, there are free solutions to keep your dependencies up to date in a reasonable manner.

Also, the javascript ecosystem seems to slowly be going in the direction of consolidation, and supply chain attacks are (again, slowly) getting tools to get addressed.

Additionally, current versions of all major package managers (NPM, PNPM, Bun, I don't know about Yarn) don't automatically run postinstall scripts - although you are likely to run them anyway because they will be suggested to you - and ultimately you're running someone else's code, postinstall scripts or not.

Not for an operating system, but Astral’s `uv` tool has this for Python packages.

npm install actually has a flag to install dependencies as they appeared on a specific point in time. This flag is applied to the entire tree.

What this means is that you can run "npm instal --before (date for 2 days ago)" and it will skip any dependencies newer than that.

I just use .npmrc with save-exact=true + lockfile + manual updates, you can't be too careful and you don't need to update packages that often tbh.

Especially after the fakerjs (and other) things.