From aaffc51458c9e0f74338cbe0d27fe21175c002c7 Mon Sep 17 00:00:00 2001 From: Aymen Hmaidi Date: Sat, 11 Apr 2026 20:53:02 +0100 Subject: [PATCH] docs: add minimumDependencyAge to configuration reference Document the minimumDependencyAge field in deno.json, which prevents downloading dependencies published too recently as a supply chain security measure. Covers number, ISO 8601 duration, and RFC 3339 date formats, plus the CLI override flag. Closes #3017 --- runtime/fundamentals/configuration.md | 48 +++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/runtime/fundamentals/configuration.md b/runtime/fundamentals/configuration.md index 679a48c22..a71387ff8 100644 --- a/runtime/fundamentals/configuration.md +++ b/runtime/fundamentals/configuration.md @@ -300,6 +300,54 @@ Deno uses lockfile by default, you can disable it with following configuration: } ``` +## Minimum dependency age + +:::caution Unstable feature + +This feature is currently unstable and may change in future versions. + +::: + +The `minimumDependencyAge` field in `deno.json` prevents Deno from downloading +dependencies that were published too recently. This is a supply chain security +measure that helps protect against attacks where a malicious version is published +and quickly consumed before being detected. + +The value can be specified as a number of minutes, an ISO 8601 duration, or an +RFC 3339 date: + +```json title="deno.json" +{ + // Number of minutes — dependencies must be at least 2 hours old + "minimumDependencyAge": 120 +} +``` + +```json title="deno.json" +{ + // ISO 8601 duration — dependencies must be at least 2 days old + "minimumDependencyAge": "P2D" +} +``` + +```json title="deno.json" +{ + // RFC 3339 date — only accept dependencies published before this date + "minimumDependencyAge": "2025-09-16" +} +``` + +This setting can be overridden on the command line with +`--minimum-dependency-age`: + +```sh +# Override the configured minimum age +deno install --minimum-dependency-age=60 + +# Disable the minimum age check +deno install --minimum-dependency-age=0 +``` + ## Node modules directory By default Deno uses a local `node_modules` directory if you have a