Vibe Coding
Tip: Package Manager Cooldown Settings — Block Fresh Releases to Catch Supply Chain Attacks
After the LiteLLM and Trivy compromises, package manager cooldown features are now production-ready across the ecosystem: pnpm minimumReleaseAge (v10.16), Yarn npmMinimalAgeGate (v4.10), npm min-release-age (v11.10), and Bun's equivalent. A conservative 60-day setting would have blocked both the September 2025 Shai-Hulud attack (removed in 2.5 hours) and the LiteLLM backdoor (3 hours). Set this in your lockfile config today.
↳ Follow the thread