Motivation ("The Why")

When a vulnerability is introduced to an npm package, it takes at least several days to discover the vulnerability and to report the vulnerable release to security databases (npm, Snyk, dependabot, etc.)

Because of that reason, it would make sense for developers who want stability and security for their projects to use 3rd party dependencies with version that matches these conditions:

1. as latest as possible (the obvious one)
2. free from vulnerabilities, i.e. not present in npm/Snyk/dependabot security databases
3. X days mature, because of the reason mentioned above - it takes time to discover and report vulnerabilities

There's existing --before parameter, but it doesn't work for this purpose

Examples

As a maintainer of a popular plugin I several times shipped a bug or a breaking change in a patch release. Usually, these issues are noticed by users during the next several hours and after several more hours, I ship another patch release with a fix.

And here's why --before wouldn't work:

• some-cool-package has 6.6.6 with a bug released 4 days ago and 6.6.7 with bug-fix released 2 days ago
• with --before="3 days" the buggy version would be installed which would be the exact opposite of desired
• with --stabilityDays=3 neither 6.6.6 nor 6.6.7 would be installed which is desired because 6.6.6 is buggy and 6.6.7 is immature.

How

Current Behaviour

None.

Desired Behaviour

npm install --stabilityDays=3

References

Renovate has this feature, it's named stabilityDays: https://docs.renovatebot.com/configuration-options/#stabilitydays

Also stabilityDays is mentioned in this RFC: #549