Add CLI flags for package release version dates #8783
Description
Would it be possible to consider an RFC for adding flags to npm CLI to specify dates from/until which any dependency or sub dependencies should be installed from?
e.g npm i --until 20250908
It can stderr if semver is not matching a major or minor release. This could also be a strict level flag.
e.g. npm i --until 20250908 --preserve major
The motivation is to enable organizations to respond to supply-chain security incidents faster, and with greater certainty.
e.g
https://snyk.io/blog/sha1-hulud-npm-supply-chain-incident/
Thank you.