Version maturity - the 'age' Marshall checks since package created. This feature is for new version published time difference.

Question

Version maturity - the 'age' Marshall checks since package created. This feature is for new version published time difference.

Opened this issue 4 months ago · 4 comments

Warn when the version being installed has only very recently been published. That would invite extra caution because scanners and the community may not yet have found any newly introduced issues.

Expected Behavior

Warning on the next line after "Checking package maturity" if published less than e.g. 1 day ago

Current Behavior

No change, only additional.

Possible Solution

The publish date is available in the package metadata (npm info).

Context

For example when node-ipc was compromised, there was a time window until the issue was identified, and if you happened to install during that window then you would have been impacted.

The counterpoint to this whole idea however is that if everyone holds off installing recently published versions, it could delay identification of security issues.

Answer 1 · 2024-07-05T13:35:06.000Z

Hi @robatwilliams, thanks for the idea but this is already implemented. See the README for age Marshall. The default is 22 days:

That is relevant to the whole package time diff from being created (published for the first time).
Are you asking specifically about a new version publish time difference?

Answer 2 · 2024-07-05T13:37:32.000Z

Yes, the age of the new version

Answer 3 · 2024-07-05T13:38:36.000Z

Ok.
What would be a good time diff threshold?

Answer 4 · 2024-07-05T13:48:01.000Z

Hard to say. If it's too low then any package that's frequently releasing patches will always get a warning. But I don't think there always being a warning would be a new issue, as most packages already don't have a provenance statement.

7 days perhaps? It would almost effectively be 5 days if the publish was done just before the weekend, during which there is much less attention.