PMG dependency cooldown: wait on fresh npm versions

PMG (Package Manager Guard) wraps npm, pnpm, pip, and other package managers so installs are checked against SafeDep threat intelligence and run in OS sandboxes before arbitrary install scripts touch your machine. For background, see Introducing Package Manager Guard (PMG).

Dependency cooldown is a separate control: it trims registry metadata so version resolution normally ignores releases that are too new. That reduces the window where a compromised or rushed publish is the only version a semver range can pick.

How cooldown works

When cooldown is on, PMG filters npm package metadata and drops versions published inside the configured window (for example, the last 5 days). If the range still matches an older release, the resolver uses it. If nothing outside the window satisfies the range, the install fails until you widen the range, wait, or bypass cooldown (see below).

Cooldown applies to metadata-driven resolution. It does not apply to flows that already use a fixed tarball URL (direct tarball installs, some lockfile or cache cases). See the upstream dependency cooldown notes for details.

Requirement: cooldown needs proxy mode enabled. It is npm-only in the current release.

Install and shell setup

1
brew install safedep/tap/pmg

or:

1
npm install -g @safedep/pmg

Wire the shell once (restart the terminal after):

1
pmg setup install

Re-run pmg setup install after upgrades so new options land in your environment.

Enable dependency cooldown

Configuration lives in config.yml (create it via pmg setup install if needed). Example:

1
dependency_cooldown:
2
  enabled: true
3
  days: 5

Adjust days to your risk tolerance: longer windows mean more installs fall back to older versions; shorter windows allow newer releases sooner.

One-off install without changing the file:

1
pmg --skip-dependency-cooldown npm install express

Docs and source

• PMG quickstart
• dependency-cooldown.md
• Repository