←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 9 comments | 27 Aug 25 01:38 UTC | HN request time: 0.661s | source | bottom
1. andix ◴[27 Aug 25 18:59 UTC] No.45043591[source]
Are there any package managers that have something like a min-age setting. To ignore all packages that were published less than 24 or 36 hours ago?

I’ve run into similar issues before, some package update that broke everything, only to get pulled/patched a few hours later.

replies(5): >>45043774 #>>45043852 #>>45045196 #>>45045198 #>>45047987 #
2. ebb_earl_co ◴[27 Aug 25 19:13 UTC] No.45043774[source]
Not for an operating system, but Astral’s `uv` tool has this for Python packages.
3. jefozabuss ◴[27 Aug 25 19:20 UTC] No.45043852[source]
I just use .npmrc with save-exact=true + lockfile + manual updates, you can't be too careful and you don't need to update packages that often tbh.

Especially after the fakerjs (and other) things.

replies(1): >>45043937 #
4. andix ◴[27 Aug 25 19:26 UTC] No.45043937[source]
But you're still updating at some point. Usually to the latest version. If you're unlucky, you are the first victim, a few seconds after the package was published. (Edit: on a popular package there will always be a first victim somewhere in the first few minutes)

Many of those supply chain attacks are detected within the first few hours, I guess nowadays there are even some companies out there, that run automated analysis on every new version of major packages. Also contributors/maintainers might notice something like that quickly, if they didn't plan that release and it suddenly appears.

5. VPenkov ◴[27 Aug 25 20:59 UTC] No.45045196[source]
Not a package manager, but Renovate bot has a setting like that (minimumReleaseAge). Dependabot does not (Edit: does now).

So while your package manager will install whatever is newest, there are free solutions to keep your dependencies up to date in a reasonable manner.

Also, the javascript ecosystem seems to slowly be going in the direction of consolidation, and supply chain attacks are (again, slowly) getting tools to get addressed.

Additionally, current versions of all major package managers (NPM, PNPM, Bun, I don't know about Yarn) don't automatically run postinstall scripts - although you are likely to run them anyway because they will be suggested to you - and ultimately you're running someone else's code, postinstall scripts or not.

replies(1): >>45045201 #
6. ZeWaka ◴[27 Aug 25 20:59 UTC] No.45045198[source]
GitHub dependabot just got this very recently: https://github.blog/changelog/2025-07-01-dependabot-supports...
7. ZeWaka ◴[27 Aug 25 20:59 UTC] No.45045201[source]
Dependabot got it last month, actually. https://github.blog/changelog/2025-07-01-dependabot-supports...
replies(1): >>45045406 #
8. VPenkov ◴[27 Aug 25 21:17 UTC] No.45045406{3}[source]
Oh, happy days!
9. bapak ◴[28 Aug 25 03:18 UTC] No.45047987[source]
npm install actually has a flag to install dependencies as they appeared on a specific point in time. This flag is applied to the entire tree.

What this means is that you can run "npm instal --before (date for 2 days ago)" and it will skip any dependencies newer than that.