npm Introduces minimumReleaseAge and Bulk OIDC Configuration

npm has introduced a new release cooldown setting and bulk configuration for OIDC trusted publishing, aligning the default JavaScript package manager with a broader shift toward defensive install and publish controls across the ecosystem.

The changes arrive in recent npm CLI 11.x releases and reflect growing consensus that both install-time behavior and CI-based publishing workflows require stronger guardrails.

New minimumReleaseAge Setting#

npm’s new minimumReleaseAge setting allows teams to delay installation of newly published package versions. By enforcing a minimum age threshold before a version can be installed, the feature reduces exposure to malicious packages that rely on rapid, automated consumption before detection or takedown.

Time-based release gating has increasingly been adopted across JavaScript tooling over the past several months.

• pnpm introduced minimumReleaseAge in v10.16 in September 2025, including support for exclusion rules so specific packages can bypass the delay when necessary.
• Yarn added npmMinimalAgeGate in Yarn 4.10.0 in mid-September 2025, offering similar cooldown behavior for registry installs.
• Bun released v1.3 in October 2025, adding its own minimumReleaseAge setting, configurable in bunfig.toml.

With npm’s addition, all major Node.js package managers now offer some form of release-age gating.

Unlike pnpm’s implementation, npm’s initial version does not include a built-in exclusion mechanism. An open issue proposes adding flexible exclusions, particularly to allow urgent security fixes to bypass the delay. Participants in the discussion noted that the current implementation conflicts with a common workflow: being strict with third-party dependencies while remaining more lenient with internally maintained packages, since there is no way yet to exclude internal packages from the cooldown.

Closing a Git Execution Path During Install#

In npm CLI 11.10.0, npm also introduced a new --allow-git flag for npm install.

Git dependencies, whether direct or transitive, can include a .npmrc file that overrides the path to the git executable. In certain cases, this behavior could enable unexpected code execution during install, even when using --ignore-scripts, because the execution occurs at the toolchain level rather than through lifecycle hooks.

The --allow-git flag provides explicit control over this behavior. While it currently defaults to all for backward compatibility, npm recommends using:

npm install --allow-git=none

The more restrictive setting is expected to become the default in npm CLI v12.

Install-time risk isn’t limited to preinstall and postinstall scripts. As attackers look for less obvious ways to execute code, hardening dependency resolution has become a bigger focus. Git-based dependencies in particular introduce additional risk surface, since they bypass some of the conventions and guardrails of registry publishing. Socket flags Git dependencies as a supply chain risk signal for this reason, helping teams identify when packages are being pulled directly from source repositories rather than the npm registry.

Bulk OIDC Configuration for Trusted Publishing#

Also generally available in npm CLI 11.10.0 is bulk configuration for OIDC trusted publishing.

Maintainers can now use the npm trust command to add or update trusted publishing configurations across multiple packages in a single operation, rather than configuring each package individually.

The feature follows npm’s revocation of classic publishing tokens and its push toward OIDC-based trusted publishing as the long-term replacement for long-lived CI tokens. For maintainers responsible for large portfolios of packages, migration and configuration consistency have created operational friction. Bulk configuration reduces that overhead and enables coordinated rollout at scale.

While the feature improves adoption ergonomics, it does not materially change the security model of CI-based publishing itself. Ongoing ecosystem discussions have raised concerns about publish-time enforcement, workflow trigger abuse, and the need for stronger default guardrails in automated release pipelines.

Ecosystem Alignment on Supply Chain Controls#

Release cooldowns are quickly becoming a baseline expectation across JavaScript package managers. A year ago, delaying installs of newly published packages was a niche configuration. Now it’s available across npm, pnpm, Yarn, and Bun. That shift suggests time-based gating is moving to become a standard defensive control.

With install gating, stricter Git controls, and scaled OIDC publishing, more of the ecosystem’s security boundaries are now being enforced directly at the package manager level.