Show HN: Safe-NPM – only install packages that are +90 days old

Hacker News just met Safe‑NPM, a button that tells your app to only install code that’s been public for at least 90 days. The pitch: stop surprise hacks from freshly published updates by letting the wider security crowd find the bad stuff first. Sounds safe? The comments erupted. Team Patience cheered the vibe of “older is wiser,” while Team Now shot back with the zinger: “So we’re 90 days late on fixes?” Links flew like popcorn: one crowd asked if this is already covered by npm itself (docs), another pointed to pnpm’s built‑in defenses (pnpm) and basically said, “We’ve had this.” The spiciest take slammed the tool for not locking down those hidden, nested add‑ons your main packages pull in, calling it “vastly less useful” without full control. Others went practical: pin exact versions and block install scripts—translation: lock your stuff and don’t let random code run. Meanwhile, Safe‑NPM’s knobs (like stricter mode and custom wait times) got polite nods, but the vibe was clear: if it can’t wrangle the whole dependency family, people will stick with tools that do. And yes, the jokes landed too—“No‑FOMO NPM,” “Grandma‑approved packages,” and plenty of “ship late, sleep great” memes made the thread feel like a roast with a side of cybersecurity.