Delay upstream policy

Prevent newly published packages from external upstreams

The delay upstream policy prevents newly published packages from being added to a Bytesafe registry until a set delay (in days) has passed. Until then such a new version will not be allowed from an external upstream.

Many critical vulnerabilities and malicious packages are found and fixed quickly. Yet it’s common to regularly pull the latest versions from public upstreams, regardless of package version maturity.

The policy protects registries from new package versions that have not yet reached the desired maturity since release.

If a package has multiple versions available in an upstream, Bytesafe will fetch the most recent allowed version within the requested version range.

The delay time for a registry is configurable in the policy settings, up to a maximum of 90 days delay.

Example

A new version of a dependency, 1.3.0, is released to the public npm registry. For current time < publish time + delay time a previous version 1.2.3 will be selected by Bytesafe, as the new version does not qualify.

flowchart LR
  A{Bytesafe} <--- B[/Dependency v.1.2.3/] <---  C[fab:fa-npm registry.npmjs.org]

When current time >= publish time + delay time the new version 1.3.0 will be allowed and any subsequent fetches will use that version instead.

flowchart LR
  A{Bytesafe} <--- B[/Dependency v.1.3.0/]  <---  C[fab:fa-npm registry.npmjs.org]

Balance security needs and flexible access to new versions, by setting the desired delay time for your organization. This applies both for developers and for CI/CD pipelines, where you may not always control when builds are triggered.

Delay upstream policy only applies to external upstreams. It will not delay pull operations between internal registries.

Delay-upstream settings

Delay upstreams will not rewrite or modify metadata such as dist-tags. Directly using tags like @latest that refer to a disallowed package will result in an error.

Users are advised to specify the version when adding individual packages, with pkg@version, where version is an allowed version to avoid errors.