jmagly/npm-release-age-gate
agentic/code/frameworks/security-engineering/skills/npm-release-age-gate/SKILL.md
Configure and review npm min-release-age controls for JavaScript projects, including 7-day default gates, 10-day high-sensitivity profiles, npm version requirements, and safe override handling.
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg npm-release-age-gateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 6:27 AM160.7s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- npm-release-age-gate
- platforms:
- [all]
- description:
- Configure and review npm min-release-age controls for JavaScript projects, including 7-day default gates, 10-day high-sensitivity profiles, npm version requirements, and safe override handling.
npm-release-age-gate
Use this skill when a user wants to slow dependency adoption after a
fresh npm publish, configure min-release-age, decide whether to use
npm or pnpm for the gate, or troubleshoot install failures caused by
newly published package versions.
Triggers
- "release age gate"
- "min-release-age"
- "minimumReleaseAge"
- "7 day npm gate" / "10 day npm gate"
- "new package version blocked"
- "npm supply chain hardening"
Suggested default
For npm projects, commit this at the repo root:
min-release-age=7
Require npm 11.5+ on contributor machines and in any CI job that can change the lockfile:
npm install -g npm@^11.5
npm --version
For release-prep dependency churn, major version bumps, or highly sensitive projects, use a one-command high-sensitivity profile:
npm install --min-release-age=10
Decision tree
- Does the project already use npm with a committed
package-lock.json? Keep npm and add.npmrc. Migration to pnpm is not required for the threat model. - Does the project already use pnpm?
Use pnpm's
minimumReleaseAgesetting inpnpm-workspace.yamlor.npmrcequivalent per pnpm's current docs. - Does CI use Node 20 or Node 22 images? Install npm 11.5+ before lockfile-changing commands. Older bundled npm versions may ignore the gate.
- Is the job a publish workflow using npm trusted publishing? Prefer Node 24 so the workflow has a current npm 11.x and satisfies trusted-publishing runtime requirements.
Override policy
Avoid permanent bypasses. If a dependency must be adopted before the gate expires:
npm install --min-release-age=0 <package>
Require the commit message or PR body to state:
- package name and version,
- why waiting is not acceptable,
- who approved the override,
- what additional verification was run.
What to inspect
.npmrcat repo root.- CI jobs that run
npm install,npm update, or lockfile regeneration. - Developer docs and onboarding docs for npm 11.5+.
- Release runbooks for the 10-day high-sensitivity option.
- Any scripts that pass
--before; npm cannot usebeforeandmin-release-agetogether.
Common mistakes
| Mistake | Fix |
|---|---|
| Setting the gate but leaving contributors on npm 10 | Document and enforce npm 11.5+ |
| Assuming npm ci updates the lockfile | The gate matters most when the lockfile is regenerated |
| Using --min-release-age=0 in CI permanently | Remove the bypass and document one-off exceptions |
| Migrating npm projects to pnpm just for this control | Keep npm unless pnpm has independent project value |
References
- npm config
min-release-age: https://docs.npmjs.com/cli/v11/using-npm/config#min-release-age - npm trusted publishing: https://docs.npmjs.com/trusted-publishers
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026