Only install packages that are at least X weeks old
I would like to restrict the installation of npm package in some projects of my company to releases that are at least X weeks old.
The reason for that being that given enough time before installing a package version, it is likely that if the package maintainer was compromised and contains malicious code (in the package itself or in postinstall script), it will have been caught and removed from the public npm registry.
I could easily ask our developers to manually install versions that are at least X weeks old, however they are likely to install transitive dependencies that are not locked on a specific version, which can result in the installation of a transitive dependency that is only a few hours old.
Is there a way to force npm to only install packages that are at least X weeks old, including for transitive dependencies ?
