Skip to content

[FEATURE] Recent update warning #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: master
Choose a base branch
from

Conversation

IchiiDev
Copy link

This feature was suggested by Issue #80, I have implemented it on my fork.
What has been asked is basically to add a warning if a package was pushed recently, to prevent package hijacking and malwares.

What I have done to implement it:

  1. Everytime a dependency is prompted, it will fetch https://registry.npmjs.com/:package to fetch the version's publication date
  2. Will check if 3 days have passed since the last publish
  3. If not then it will throw an error, a warning or an info telling the user the package was pushes recently and that they should be careful when upgrading.

This has been tested with some recently pushed packages and it works as expected. I will be available during the next few days to edit if any review requires changes.

@houd1ni
Copy link

houd1ni commented Dec 31, 2022

hi, @IchiiDev !
PRs here are quite stuck, hence maybe make an independent project began from the fork ? Seems that this one could be a nice start.
I have a huge issue when being at bad network environments and almost cannot npm-upgrade at all, therefore willin' to commit some code into there asap.

@IchiiDev
Copy link
Author

I'm going to send an email directly to @th0r to suggest giving ownership/management to someone else, both on the NPM registery and GitHub. If no answers ensues I will try and send a ticket to NPM's support to request ownership due to inactivity. 😄

@houd1ni
Copy link

houd1ni commented Dec 31, 2022

I'm going to send an email directly to @th0r to suggest giving ownership/management to someone else, both on the NPM registery and GitHub. If no answers ensues I will try and send a ticket to NPM's support to request ownership due to inactivity. 😄

Nice! Tag me here, please, with any news!

@houd1ni
Copy link

houd1ni commented Jan 14, 2023

@IchiiDev salut! Any news ?

@ImLunaHey
Copy link

@IchiiDev any chance you'd be able to reopen this and check it works with the latest version?

@IchiiDev
Copy link
Author

I could check, I just saw that @th0r reacted in the referenced Issue, so I'll open it again if they are willing to take a look at the changes if up to date. I closed the PR due to previous inactivity.

@IchiiDev IchiiDev reopened this May 14, 2025
@IchiiDev
Copy link
Author

image
Still works as intended 3 years ago 😄

Aside from some ESLint errors I just fixed, nothing to report here. Waiting for review. (see #80)

@IchiiDev
Copy link
Author

Will check this tomorrow

@IchiiDev IchiiDev requested a review from th0r May 19, 2025 13:57
@IchiiDev IchiiDev requested a review from th0r June 2, 2025 15:04
@IchiiDev IchiiDev requested a review from th0r June 5, 2025 09:18
publishedDatesCache[`${name}@${to}`] = getVersionPublicationDate(name, to)
.then(date => new Date(date))
.catch(() => null);
});

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what're you actually trying to do because this just doesn't look right?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am adding every promises to the object so that they can resolve in the background and be awaited once needed in the loop.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's not really how promises work. nothing will resolve until they're awaited.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's not really how promises work. nothing will resolve until they're awaited.

What would be the best way to approach this issue then?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what're you actually trying to do?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants