Analysis updated 2026-05-18
Run a self-hosted proxy that rejects npm packages published too recently.
Add a supply-chain safety net for a team's local or CI npm installs.
Redirect npm registry traffic through a custom age-check gate.
| jason-snell/npm-age-checker-proxy | anulman/docx-sax | atrblizzard/vtmb-sbox-mounter | |
|---|---|---|---|
| Stars | 0 | 0 | 0 |
| Language | C# | C# | C# |
| Setup difficulty | — | moderate | moderate |
| Complexity | — | 4/5 | 3/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
npm-age-checker-proxy is a small network proxy that protects developers from a common type of supply chain attack by blocking newly published packages from being installed. The attack it defends against works like this: a bad actor publishes a malicious package to the npm registry (the central repository where JavaScript packages are distributed), either under a confusingly similar name to a popular package or by compromising an existing one. Because the malicious package is brand new, many developers' machines will install it before security researchers have had time to detect and flag it. This proxy sits between your development machine and the npm registry. When you run a package installation command, the proxy intercepts the request, checks how long ago that specific package version was published, and blocks the installation if the package is younger than a configurable minimum age. By default the threshold is 30 days. Packages older than that are forwarded to the real registry and installed normally. If a package is too new, you get a clear error message explaining why it was blocked and how many days old it actually is. Setting it up involves running the proxy as a service, then redirecting your machine's npm traffic to go through it, either by editing a system hosts file or by pointing npm at a local registry address. The minimum age threshold is controlled by a single environment variable. It is built in C# as a single binary with minimal overhead, and works with any npm client.
A lightweight C# proxy that blocks npm package installs unless the package is at least 30 days old, guarding against fresh malicious uploads.
Mainly C#. The stack also includes C#, .NET.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.