1. Home
  2. Categories
  3. Support
  4. Incorrect published date handling breaks min-release-age for npm feeds

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Incorrect published date handling breaks min-release-age for npm feeds

  • A

    Due to a recent vulnerability reported in Axios (https://github.com/axios/axios/issues/10604
    ), I configured the npm setting:

    min-release-age=3

    When using ProGet as the npm registry, I encountered an issue where packages that were actually published several days ago are treated as if they were published just moments ago.

    Steps to reproduce:

    Configure npm with:

    min-release-age=3
    Use ProGet as the npm registry with connector to public npm registry with cache package enabled.

    Attempt to install a package that was published more than 3 days ago, e.g.:

    npm install --save vite-plugin-svgr@5.2.0

    Observed behavior:

    The installation fails with:

    npm ERR! code ETARGET
    npm ERR! notarget No matching version found for vite-plugin-svgr@5.2.0 with a date before <date/time according to min-release-age>.

    Running:

    npm view vite-plugin-svgr

    shows that ProGet reports:

    published XX minutes ago

    Additionally, in the ProGet UI, the published date matches the cache date, which appears to be incorrect.

    Actual package information:
    The package vite-plugin-svgr@5.2.0 was published to the public npm registry approximately 7 days ago.

    Problem:

    ProGet seems to overwrite or ignore the original published timestamp from the upstream npm registry and instead uses the cache/import timestamp.

    This behavior breaks compatibility with npm’s min-release-age security feature, making it ineffective when ProGet is used as a proxy.

    Expected behavior:

    ProGet should preserve the original published date from the upstream npm registry.
    The cache/import date must not replace or be treated as the package publish date.

    Impact:

    This issue makes it impossible to reliably enforce security policies such as min-release-age, which are critical for mitigating risks from newly published (and potentially malicious) packages.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @aleksander-szczepanek_3253 ,

    If you navigate to Admin > Advanced Settings and check "Use Connector Publish Date", then this will behave as you expect. Note that you will need to delete already-cached packages.

    This will be default behavior in ProGet 2026+

    Cheers,
    Alana

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation