Closed
Description
Warn when the version being installed has only very recently been published. That would invite extra caution because scanners and the community may not yet have found any newly introduced issues.
Expected Behavior
Warning on the next line after "Checking package maturity" if published less than e.g. 1 day ago
Current Behavior
No change, only additional.
Possible Solution
The publish date is available in the package metadata (npm info).
Context
For example when node-ipc was compromised, there was a time window until the issue was identified, and if you happened to install during that window then you would have been impacted.
The counterpoint to this whole idea however is that if everyone holds off installing recently published versions, it could delay identification of security issues.