.png)
1 month ago
3
TimeLock NPM Registry is an alternative npm package registry focused on supply chain security.
Its core feature is introducing a time lock before new package versions become available for installation. This protects developers from compromised releases: while packages are “on hold,” the community and security tools have time to detect and block malicious code.
- 📦 Reduces the risk of installing malicious packages.
- ⏳ Lets you “wait out” 24 hours or more before updating.
- 🔒 Increases trust in dependencies and builds.
- A package author publishes a new version.
- TimeLock NPM Registry places it into a pending state for a set duration (e.g., 24 hours).
- Only after the timer expires does the package become available for installation.
To use the TimeLock NPM Registry, you need to configure your package manager to point to the registry's URL. The URL format is https://timelock-npm-registry.dev/lock/<minutes>/, where <minutes> is your desired time lock.
For example, to set a 24-hour (1440 minutes) time lock, the URL would be: https://timelock-npm-registry.dev/lock/1440/
Replace timelock-npm-registry.dev with the actual URL of your deployed Cloudflare Worker.
For both npm and pnpm, you can configure the registry on a per-project basis by creating a .npmrc file in your project's root directory with the following content:
Alternatively, you can set the configuration globally:
For npm:
For pnpm:
To revert to the default npm registry, run: npm config set registry https://registry.npmjs.org/ or pnpm config set registry https://registry.npmjs.org/.
For bun, configure the registry in your bunfig.toml file:
- Developers who want to minimize supply chain attack risks.
- Companies that prioritize predictable and secure dependencies.
- Open-source projects that value trust and ecosystem stability.
TimeLock NPM Registry — the same npm registry you know, but with an added layer of protection through delayed releases.
