Show HN: TimeLock NPM Registry
github.comHi, everyone!
I built a TimeLock NPM Registry to prevent supply chain attack. I was inspired by minimumReleaseAge of the pnpm, but I'm using bun for my projects.
TimeLock NPM Registry is an alternative npm package registry focused on supply chain security.
Its core feature is introducing a time lock before new package versions become available for installation. This protects developers from compromised releases: while packages are “on hold,” the community and security tools have time to detect and block malicious code.
Why it matters Reduces the risk of installing malicious packages. Lets you “wait out” 24 hours or more before updating. Increases trust in dependencies and builds.
How it works
A package author publishes a new version. TimeLock NPM Registry places it into a pending state for a set duration (e.g., 24 hours). Only after the timer expires does the package become available for installation.
Tech stack — Cloudflare Workers, Honojs. Why not just lock your versions entirely? No need to always have the shiny new version. Yes, you can! Time-lock registry is an additional method of defense.