From a13a2bc22a52a0747d2382ab0097b035af2c3565 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 8 Apr 2026 08:22:25 +0200 Subject: [PATCH 1/2] docs: document minimumDependencyAge deno.json setting Adds documentation for the minimumDependencyAge configuration option, which protects against supply chain attacks by requiring dependencies to have existed for a minimum age before installation. Closes #3017 Co-Authored-By: Claude Opus 4.6 (1M context) --- runtime/fundamentals/configuration.md | 43 +++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/runtime/fundamentals/configuration.md b/runtime/fundamentals/configuration.md index 679a48c22..b3bbebdbd 100644 --- a/runtime/fundamentals/configuration.md +++ b/runtime/fundamentals/configuration.md @@ -300,6 +300,49 @@ Deno uses lockfile by default, you can disable it with following configuration: } ``` +## Minimum dependency age + +:::caution Unstable feature + +This feature is unstable and requires the `--unstable-npm-lazy-caching` flag or +can be configured directly in `deno.json`. + +::: + +The `minimumDependencyAge` field specifies the minimum age a dependency must have +before Deno will install it. This is a supply chain security measure that +protects against recently published malicious packages by ensuring only +dependencies that have existed for a specified period are allowed. + +The value can be specified as a number of minutes, an +[ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations), or an +[RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) timestamp: + +```json title="deno.json" +{ + // Number of minutes (e.g. 120 = 2 hours) + "minimumDependencyAge": 120 +} +``` + +```json title="deno.json" +{ + // ISO 8601 duration (e.g. P2D = 2 days) + "minimumDependencyAge": "P2D" +} +``` + +```json title="deno.json" +{ + // RFC 3339 absolute cutoff date + "minimumDependencyAge": "2025-09-16" +} +``` + +This setting can be overridden on the command line with +`--minimum-dependency-age=`, or disabled with +`--minimum-dependency-age=0`. + ## Node modules directory By default Deno uses a local `node_modules` directory if you have a From 9a2d42ba7b1aba2f034989cc233898d5b9527ecd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 8 Apr 2026 08:26:00 +0200 Subject: [PATCH 2/2] chore: format with deno fmt Co-Authored-By: Claude Opus 4.6 (1M context) --- runtime/fundamentals/configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/runtime/fundamentals/configuration.md b/runtime/fundamentals/configuration.md index b3bbebdbd..4626df8a1 100644 --- a/runtime/fundamentals/configuration.md +++ b/runtime/fundamentals/configuration.md @@ -309,8 +309,8 @@ can be configured directly in `deno.json`. ::: -The `minimumDependencyAge` field specifies the minimum age a dependency must have -before Deno will install it. This is a supply chain security measure that +The `minimumDependencyAge` field specifies the minimum age a dependency must +have before Deno will install it. This is a supply chain security measure that protects against recently published malicious packages by ensuring only dependencies that have existed for a specified period are allowed.