There are many different defense tactics against various javascript library attacks, but one that I think is underappreciated is the idea of a “package maturity gate.”
Modern JavaScript package managers already have features that can enforce exactly that kind of caution.
TLDR: if you only want the practical part, jump to Who supports this today?
They can refuse to install packages that are too fresh.
Not known-malicious packages. Not suspicious packages. Just very new ones.
And that sounds almost too simple, but even forcing packages to age by 1-2 days can cut a lot of risk - 7 recent npm supply chain incidents were caught within hours or a day of the malicious publish.
Very simple rule: do not install dependency versions until they are at least some minimum age.
This does not make a package safe. It does not solve typosquatting, malicious maintainers, or bad code that sat around for months.
But it does help against one very specific and very common problem in the Node.js ecosystem: an attacker compromises a maintainer account or steals a publish token, pushes a malicious version, and people install it before anyone notices.
And that “before anyone notices” window is often shorter than people think.
Most teams are not manually auditing every transitive dependency update.
They run npm install, pnpm install, or bun install, trust the registry, trust the lockfile update, and move on.
That is understandable. Nobody wants to spend their entire week thinking about package provenance.
But supply chain attacks keep showing the same shape:
If your CI or workstation installs during that fresh publish window, you are just unlucky.
So the question is not “how do I make npm perfectly safe?” The question is more practical:
How do I stop being part of the first wave?
| Tool | Native maturity gate? | Install-script controls | Bottom line |
|---|---|---|---|
| Bun | Yes. install.minimumReleaseAge lets you reject versions newer than a configured age, with exclusions for trusted packages. Docs | Script controls exist separately, but the maturity gate is the headline feature here. | Good built-in protection against brand-new malicious publishes. |
| pnpm | Yes. minimumReleaseAge applies age filtering to direct and transitive dependencies. Docs | Strong controls: pnpm approve-builds, allowBuilds, and explicit package approval instead of blindly allowing scripts. Docs | Probably the strongest native package-manager posture here right now. |
| Deno | Yes. minimumDependencyAge is supported in config. Deno 2.6 | Deno does not run npm lifecycle scripts by default; scripts must be explicitly allowed. Docs | Very good defaults, especially because script execution is opt-in. |
| npm | Not a true minimum-age setting, but --before can install package versions that existed on or before a chosen date. Docs | ignore-scripts is an important mitigation if you do not trust dependency install hooks. Docs | Better than nothing, but less ergonomic than a real minimum-age policy. |
If you are on Bun or pnpm, I think this is a “just enable it” kind of feature.
If you are on Deno, you already get a nicer default security posture than the usual Node.js toolchain, especially around install scripts.
If you are on npm, you can still reduce risk with date-based cutoffs, but it is less clean than having an actual minimum-age policy built into normal installs.
Below is the nicer version of the pattern.
| Incident | Attack started | Detected / disclosed | Approximate exposure window |
|---|---|---|---|
Prettier tooling compromise (eslint-config-prettier, eslint-plugin-prettier) | July 18, 2025 | July 19, 2025 | ~1 day |
Qix maintainer compromise (debug, chalk-template, color-convert, strip-ansi, others) | September 8, 2025 | September 8, 2025 | same day |
| Nx compromise | August 26, 2025 | August 27, 2025 | ~1 day |
| Shai-Hulud, first wave | September 16, 2025 | September 16, 2025 | same day |
| Shai-Hulud, second wave | November 24, 2025 | November 24, 2025 | same day |
| CanisterWorm / TeamPCP npm worm | March 21, 2026 | March 21, 2026 | same day |
| Axios maintainer-account compromise | March 31, 2026 | March 31, 2026 | hours (00:21-03:29 UTC according to Datadog) |
The exact numbers are not the interesting part.
The interesting part is that many of these bad publishes were not invisible for weeks. In several cases they were discovered the same day or the next day.
That means a boring delay of 24 hours, 72 hours, or 7 days would have blocked at least some of the blast radius.
Not all of it, but enough to matter.
This defense is refreshingly unsophisticated.
Instead of trying to perfectly classify which package is good or bad, you just say: “fresh publishes are higher risk, so we will not consume them immediately.”
That is it.
This works especially well because most projects do not actually need the newest transitive dependency version five minutes after release.
People often act like delaying packages by a few days is unbearable friction. In reality, most teams would not notice unless they are actively chasing a hotfix or testing a brand new release on purpose.
So the trade is pretty good:
This is one of the rare defenses that feels asymmetric in your favor.
Attackers need a fresh publish to hit victims quickly. You only need the discipline to say “come back in a day or two.”
Package maturity gates are not a silver bullet.
You still want the usual boring hygiene:
Still, I like this mitigation because it is simple and cheap.
A lot of security advice sounds good in a slide deck and then quietly dies because nobody will maintain it.
This one is different. It is easy to explain, easy to automate, and it specifically targets the dangerous “just published” window that shows up again and again in npm incidents.
The Node ecosystem probably is not going to stop having supply chain attacks.
So the realistic goal is not perfection. The realistic goal is reducing blast radius.
Package maturity gates are one of the simplest ways to do that.
]]>I thought this was interesting and wanted to learn a bit about how one would do such a thing. Quickly I learned that this is unethical and probably not legal and outside the terms of service. But I was still interested in the technical side.
One might think they can simply run some wget/curl/python requests or something similar, but this doesn’t give you the expected results when running against modern websites like Facebook that rely heavily on JavaScript.
Facebook and other sites are basically mini-applications running in your browser. When you visit Facebook, the initial HTML is pretty much empty - everything you see gets loaded by JavaScript after the page loads. So your simple HTTP request just gets you a skeleton page with none of the actual content you’re trying to scrape.
So maybe you’re thinking “okay, I’ll just use browser automation tools like Playwright, Puppeteer, or Selenium to solve this JavaScript problem.” But even if you overcome the dynamic loading, you’ll quickly run into the next wall.
Websites really don’t want you scraping them. They’ll check if you’re making requests too fast, if your browser fingerprint looks suspicious, or if you’re missing those subtle behavioral patterns that make you look human.
Some sites will even serve you completely different content if they suspect you’re a bot, or just throw a CAPTCHA at you to stop you dead in your tracks.
You might be sneaky and think - Let’s use Lambda or some cloud service so my IP will constantly change. Again, they have probably already faced this issue and you won’t even be able to send a GET request to Facebook from many cloud providers, as Facebook has simply blocked those known IP ranges.
Ok so this is clearly a difficult task, but googling around you can find businesses that seem to sell you the ability to scrape data from Facebook / LinkedIn and other popular websites that contain gold mines of personal information.
I stumbled across the “REDACTED” company which does exactly this. Looking at their website they advertise about having 150 million different residential IP addresses. - Wow, how does one get 150 million residential IPs? That would certainly make scraping much easier.
TLDR: Well the answer, after some digging around, is that some free VPN services, in addition to giving you “free” VPN access, are quietly turning your computer into their slave. They rent out your internet connection to companies who need residential IPs, effectively transforming your home computer into an Facebook stalker or LinkedIn data harvester.
You might have seen something similar when installing Adobe Reader in the past, it would auto-select and try to install McAfee on your computer. This is basically that same trick, but even dirtier.
Sadly, if something is too good to be true, it probably is.
]]>Complexity occurs when systems have internal interactions. It doesn’t mean we have a lot of stuff, internal interactions means when stuff starts getting in the way of each other.
Complexity is a natural consequence of a system incentives. While software evolves you add layers ontop of layers which have internal interactions
New tools are not the solution. Sometimes we reach a point where something is too complex, so we refactor or rewrite and we are rewarded with a nice feeling and(hopefully) reduced complexity. Since the software is less complex now, there is less incentive to keep it less complex and it will get more complex because it is easier strap on some additional feature at the cost of refactoring “later”
A study was mentioned in the YouTube video that showed that the invention of seatbelts didn’t result in overall less number of casualties per X people. when wearing seatbelts people feel safer, so they drive faster / take faster turns. basically, their risk tolerance remains the same, so they drive more recklessly while staying at the same comfortable risk feeling
Peter Van Hardenberg argues that complexity isn’t inherently bad. Emergent behaviors from complex systems, such as the “chemistry engine” in The Legend of Zelda: Breath of the Wild, enable creativity and innovation. However, deliberate and thoughtful management of complexity is essential to avoid pitfalls.
]]>“It never gets easier, you just go faster.” Peter Van Hardenberg
This phrase can meet you at many different phases of your work.
When junior developers who are less confident with the codebase and are tasked with fixing some bug or adding a small feature, they will probably have multiple iterations and multiple code reviews until they get their desired result.
But of course, depending on the project, testing and validating your code can be a very expensive operation - Either by time or resources used for running this iteration.
So when applying the phrase for this example, a developer should attempt to make their iterations as quick as possible. There are many ways to accomplish this, depending on your task. I’ll share a few examples below.
--start-at-task to only run your specific task before running the full playbook for final validation.The phrase “fail fast and hard” is applicable at so many levels. Let’s look at someone who has an idea for a startup. Some people can get so invested in trying to get it perfect from the start, choosing the ‘correct’ platform, choosing the ‘perfect’ language.
All of these factors and many more are not the ones which will be the deciding factor of a startup (in the majority of cases). Working to perfect your idea for 3 years only to realize 1 month after release that your idea might need a complete architecture redesign based on the feedback only received now can be a deal breaker and can be too hard to fix.
In my opinion, when working in new and uncharted waters, you should iterate quickly, try to implement your ideas in a hacky way(MVP-Minimal Viable Product) - this will allow you to gather feedback while not going too deep into the rabbit hole and seeing if this idea is worthwhile.
]]>This isn’t always the case, the world has many use-cases and sometimes it is worth it to spend extra time.
bash script that is supposed to run on a remote test server.
This remote server doesn’t have a GUI, it doesn’t have copilot and doesn’t have our favorite IDE that makes our life sufferable.
So what does this lazy developer do?
He creates the script on his local IDE, CTRL-C the code and CTRL-V into the remote machine - thinking this is a small script that will be ready in no time.
Like usual, estimations are hard. Our developer is not special, and of course, multiple attempts are needed to get the desired result, sometimes dozens of attempts or more.
So each time this lazy developer copies, pastes the code and hopes that this time will be the last one.
This might be a simple task - copy and paste - but don’t underestimate it. This brings needless friction and another pain point to your constantly failing script.
You should always think - especially as a younger developer who is less experienced, how can I make my workflow easier, how can I be lazier? How can I Fail fast and fail hard?
There are multiple solutions to make this workflow more efficient, depending on the tasks and other factors.
nano or vim.
This should only be considered in very rare cases as it might lead to lost code that is not checked out to a SCM (Github/Bitbucket/etc).