Even if everyone used it, the security scanners would still have time to do their static analysis of new packages. Basically, all the clients implementing a delay would create a de facto quarantine status for new packages so they can be examined before everyone starts installing them. (Why npm doesn't just implement that themselves, I do not know.)
That’s my point. For whatever reason, npm isn’t doing it. All npm users adding a minimum package age is kind of like doing it as a collective, without npm’s help.
Many places run analyzers on published code; many security users have reason to shorten the period. The default period becomes the period where white hats have a chance to detect it and stop it passing the threshold.
Even if everyone used it, the security scanners would still have time to do their static analysis of new packages. Basically, all the clients implementing a delay would create a de facto quarantine status for new packages so they can be examined before everyone starts installing them. (Why npm doesn't just implement that themselves, I do not know.)
Then shouldn’t the analyzers just be part of NPMs acceptance requirements?
That’s my point. For whatever reason, npm isn’t doing it. All npm users adding a minimum package age is kind of like doing it as a collective, without npm’s help.
No.
Many places run analyzers on published code; many security users have reason to shorten the period. The default period becomes the period where white hats have a chance to detect it and stop it passing the threshold.