GitHub - melbahja/draft-pqurp: Package Quarantine and Urgent Release Protocol (PQURP)

2 min read Original article ↗

Package Quarantine and Urgent Release Protocol

A protocol that interposes a mandatory review window between package publication and distribution, with a transparent signal for critical security fixes.


The Problem

Every supply chain attack against a package registry exploits the same assumption: publishing a release and distributing it are the same instant event. A compromised artifact reaches production systems before anyone has time to notice.

How It Works

  • Quarantine window: every new release is held back from default resolution for a bounded period, consumers silently receive the last stable version, no friction, no interruption.
  • Urgent signal: a publisher with a critical security fix can mark a release urgent, it still waits in quarantine. the difference is that consumers see a post install warning with a source diff and an explicit command to opt in.

Status

This is an individual proposal, not an active working group. The goal is to gather feedback from package manager maintainers, registry operators, and the security community before iterating further.

Read the Spec

spec.md

Contributing

Open an issue to propose changes, flag gaps, or ask questions. pull requests are welcome for editorial fixes.

Note

This spec was developed with AI writing assistance. The design, decisions, and direction are my own.