Hasty Briefsbeta

Show HN: TimeLock NPM Registry

12 hours ago
https://github.com/pyoner/timelock-npm-registry
Copy Link
  • #npm
  • #security
  • #supply-chain
  • TimeLock NPM Registry is an alternative npm package registry focused on supply chain security.
  • Introduces a time lock before new package versions become available for installation.
  • Reduces the risk of installing malicious packages by allowing time for community and security tools to detect issues.
  • Lets developers wait 24 hours or more before updating to new package versions.
  • Increases trust in dependencies and builds by delaying package availability.
  • Package authors publish new versions, which are placed in a pending state for a set duration (e.g., 24 hours).
  • After the timer expires, the package becomes available for installation.
  • Configure package manager to use TimeLock NPM Registry by setting the registry URL.
  • URL format: https://timelock-npm-registry.dev/lock/<minutes>/.
  • Example for 24-hour lock: https://timelock-npm-registry.dev/lock/1440/.
  • Configure per-project with .npmrc or globally for npm/pnpm.
  • For bun, configure in bunfig.toml.
  • Revert to default npm registry by resetting the registry URL.
  • Target users: developers minimizing supply chain risks, companies prioritizing secure dependencies, open-source projects valuing stability.
AboutLogin