Protecting your Node.js project against supply-chain attacks

Several recent supply-chain incidents have hit widely used npm packages. The TanStack compromise, for example, affected 42 packages and 84 published versions in May 2026. A few weeks earlier, the Axios compromise published malicious [email protected] and [email protected] releases. Many malicious releases are detected and removed within hours. Delaying dependency resolution gives the ecosystem time to catch bad versions before your project installs them. It is not a complete defense, but it is a small setting with a good payoff. npm 11.10+, Yarn 4.10+, and pnpm 10.16+ support release-age gates. pnpm 11 also sets a 24-hour cooldown by default. npm npm calls the setting min-release-age, and the value is in days: npm config set min-release-age=1 --location=project This writes min-release-age=1 to the project's .npmrc. You can also use --location=user or --location=global to write to your user or global npm configuration. Yarn (Berry 4.10+) Yarn calls the setting n