| ▲ | VPenkov 5 days ago | |||||||
Not a package manager, but Renovate bot has a setting like that (minimumReleaseAge). Dependabot does not (Edit: does now). So while your package manager will install whatever is newest, there are free solutions to keep your dependencies up to date in a reasonable manner. Also, the javascript ecosystem seems to slowly be going in the direction of consolidation, and supply chain attacks are (again, slowly) getting tools to get addressed. Additionally, current versions of all major package managers (NPM, PNPM, Bun, I don't know about Yarn) don't automatically run postinstall scripts - although you are likely to run them anyway because they will be suggested to you - and ultimately you're running someone else's code, postinstall scripts or not. | ||||||||
| ▲ | ZeWaka 5 days ago | parent [-] | |||||||
Dependabot got it last month, actually. https://github.blog/changelog/2025-07-01-dependabot-supports... | ||||||||
| ||||||||