Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
uyzstvqs 3 hours ago

We need cooldowns everywhere, by default. Development package managers, OS package managers, browser extensions. Even auto-updates in standalone apps should implement it. Give companies like Socket time to detect malicious updates. They're good at it, but it's pointless if everyone keeps downloading packages just minutes after they're published.

srigi 3 hours ago | parent | next [-]

That is why we have discussions like these: https://x.com/i/status/2039099810943304073

tadfisher 2 hours ago | parent [-]

X is the worst place to hold community discussions.

eranation 3 hours ago | parent | prev | next [-]

Exactly this. For anyone who wants to do it for various package managers:

  ~/.npmrc: 
  min-release-age=7 (npm 11.10+)

  ~/Library/Preferences/pnpm/rc: 
  minimum-release-age=10080 (minutes)

  ~/.bunfig.toml 
  [install]: 
  minimumReleaseAge = 604800 (seconds)
This would have protected the 334 people who downloaded @bitwarden/cli 2026.4.0 ~19h ago (according to https://www.npmjs.com/package/@bitwarden/cli?activeTab=versi...). Same for axios last month (removed in ~3h). Doesn't help with event-stream-style long-dormant attacks but those are rarer.

(plug: released a small CLI to auto-configure these — https://depsguard.com — I tried to find something that will help non developers quickly apply recommended settings, and couldn't find one)

m4r71n 3 hours ago | parent [-]

https://cooldowns.dev/#javascript-ecosystem ;-)

eranation 2 hours ago | parent [-]

Love it, I'll link to it!

tomjen3 2 hours ago | parent | prev [-]

I am not sure that works - imagine that the next shellshock had been found. Would you want to wait 7 days to update?

We need to either screen everybody or cut of countries like North Korea and Iran from the Internet.

tadfisher 2 hours ago | parent [-]

These vulnerabilities are all caught by scanners and the packages are taken down 2-3 hours after going live. Nothing needs to take 7 days, that's just a recommendation. But maybe all packages should be scanned, which apparently only takes a couple of hours, before going live to users?