Due to a recent vulnerability reported in Axios (https://github.com/axios/axios/issues/10604
), I configured the npm setting:
min-release-age=3
When using ProGet as the npm registry, I encountered an issue where packages that were actually published several days ago are treated as if they were published just moments ago.
Steps to reproduce:
Configure npm with:
min-release-age=3
Use ProGet as the npm registry with connector to public npm registry with cache package enabled.
Attempt to install a package that was published more than 3 days ago, e.g.:
npm install --save vite-plugin-svgr@5.2.0
Observed behavior:
The installation fails with:
npm ERR! code ETARGET
npm ERR! notarget No matching version found for vite-plugin-svgr@5.2.0 with a date before <date/time according to min-release-age>.
Running:
npm view vite-plugin-svgr
shows that ProGet reports:
published XX minutes ago
Additionally, in the ProGet UI, the published date matches the cache date, which appears to be incorrect.
Actual package information:
The package vite-plugin-svgr@5.2.0 was published to the public npm registry approximately 7 days ago.
Problem:
ProGet seems to overwrite or ignore the original published timestamp from the upstream npm registry and instead uses the cache/import timestamp.
This behavior breaks compatibility with npm’s min-release-age security feature, making it ineffective when ProGet is used as a proxy.
Expected behavior:
ProGet should preserve the original published date from the upstream npm registry.
The cache/import date must not replace or be treated as the package publish date.
Impact:
This issue makes it impossible to reliably enforce security policies such as min-release-age, which are critical for mitigating risks from newly published (and potentially malicious) packages.