PMG dependency cooldown: wait on fresh npm versions
Table of Contents
PMG (Package Manager Guard) wraps npm, pnpm, pip, and other package managers so installs are checked against SafeDep threat intelligence and run in OS sandboxes before arbitrary install scripts touch your machine. For background, see Introducing Package Manager Guard (PMG).
Dependency cooldown is a separate control: it trims registry metadata so version resolution normally ignores releases that are too new. That reduces the window where a compromised or rushed publish is the only version a semver range can pick.
How cooldown works
When cooldown is on, PMG filters npm package metadata and drops versions published inside the configured window (for example, the last 5 days). If the range still matches an older release, the resolver uses it. If nothing outside the window satisfies the range, the install fails until you widen the range, wait, or bypass cooldown (see below).
Cooldown applies to metadata-driven resolution. It does not apply to flows that already use a fixed tarball URL (direct tarball installs, some lockfile or cache cases). See the upstream dependency cooldown notes for details.
Requirement: cooldown needs proxy mode enabled. It is npm-only in the current release.
Install and shell setup
brew install safedep/tap/pmgor:
npm install -g @safedep/pmgWire the shell once (restart the terminal after):
pmg setup installRe-run pmg setup install after upgrades so new options land in your environment.
Enable dependency cooldown
Configuration lives in config.yml (create it via pmg setup install if needed). Example:
dependency_cooldown: enabled: true days: 5Adjust days to your risk tolerance: longer windows mean more installs fall back to older versions; shorter windows allow newer releases sooner.
One-off install without changing the file:
pmg --skip-dependency-cooldown npm install expressDocs and source
- pmg
- npm
- supply-chain
- security
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering
@marketfront: 25 npm Packages Reuse a Known Lure
On July 1, 2026, npm user marketfront batch-published 25 packages carrying the same README lure SafeDep has tracked across four earlier accounts (mr.4nd3r50n, pik-libs, t-in-one, emcd-vue): "Internal...
Miasma Worm Infects Multiple LeoPlatform npm Packages
A Miasma worm variant compromised a single maintainer account and used it to publish infected versions of 20 LeoPlatform npm packages within a 3-second window. The worm also pushed weaponized GitHub...
The Polymarket Trap: A Fake Arbitrage Bot, Ten npm Accounts, and Four Ways to Deliver an Infostealer
A GitHub repository posing as a Polymarket arbitrage bot accumulated 53 forks before anyone flagged the malicious npm package buried in its dependencies. Behind that repo: ten coordinated npm...
The wshu.net npm Campaign Delivers a Multi-Stage Infostealer
One actor seeded 15 npm packages across 13 throwaway scopes in a single morning, each shipping a ~270KB obfuscated downloader behind a postinstall hook. The downloader pulls a Rust infostealer from...
Ship Code.
Not Malware.
Start free with open source tools on your machine. Scale to a unified platform for your organization.