minimumReleaseAge in NPM configuration to reduce likelyhood of security issues #934
Description
Hey there, I was talking with @chrisj about the recent axios supply chain hack and was wondering if there was any appetite for introducing the minimumReleaseAge to Neuroglancer's npm settings.
That feature is only available on npm CLI v11, so we'd have to make sure that the Node version for the project supports that. The engine listed in package.json is v22, which only ships with npm v10
v11 of npm ships with Node v24, but I'm not sure if we can just upgrade and be fine? v24 is the current LTS version, if that helps play a role in the decision.
It is possible to install a specific version of npm so we could potentially stay on Node 22 while using npm v11. I just tried locally and it ran happily, but that does create minor complications for NG developers since they'd have to make sure to install a different version of npm than the one that came with Node v22.
If we do adopt the setting, what's a reasonable time frame to prohibit? I'm thinking a week or two, but a month could be fine as well. And are there any packages that should be granted an exception to the wait time?