Minimum release age for @latest

[arty-name]

When running for example corepack prepare pnpm@latest --activate the corepack will apparently install the latest tag even if it was created just minutes ago. In case the package manager is compromised and a malicious version of it is published, corepack users might get it installed if their timing is unlucky.

Would it make sense for corepack to support something like minReleaseAge to give security researchers time to detect compromised versions?

[MikeMcC399]

It probably would make sense. Have you seen any standard for defining it in package.json?

When I looked at the package managers that Corepack covers, I found different implementations for each one in terms of restricting dependency installation:

• Yarn Modern offers npmMinimalAgeGate since yarn@4.10.0 in Sep 2025

• pnpm offers minimumReleaseAge since pnpm@10.16.0 in Sep 2025

• npm offers min-release-age since npm@11.10.0 in Feb 2026

Supply-chain attacks are on the increase unfortunately!

[arty-name]

Thank you for the prompt response!

Unfortunately I don’t know of any standard here, and even the naming is not aligned.

Since I sometimes run the enable command outside of the context of any project, I’d be happy to see a more global configuration or a default value for this, not connected to any package.json. Arguably, this should be the default.

[MikeMcC399]

corepack prepare pnpm@latest --activate

This command is deprecated. The replacement would be:

corepack install -g pnpm@latest`

Just to mention it here, although it doesn't make any difference to your enhancement suggestion.