Delayed package updates

[sresch4b]

Due to the increasingly frequent security incidents in npm packages, I wanted to outline a possible idea here to help mitigate the problem somewhat.

Some examples of such incidents in recent weeks:

• https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
• https://socket.dev/blog/nx-packages-compromised
• https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack

I would like the CLI command outdated to be extended to inform about WHEN a new version was released. Additionally, update --interactive and update --latest could be enhanced with a setting that allows listing or updating only those packages whose new versions are older than X days.
This approach could prevent or at least reduce the risk of falling into current traps, as most incidents are discovered and fixed within the first few days after release.

Of course, there must be an exception if a security vulnerability is known in the currently installed version. In this case, immediate notification or marking should be provided.

I look forward to your feedback or maybe there are better ideas to address this issue.

[zkochan]

There's an issue about it: #9921

[sresch4b]

Sorry, I didn't spot that issue.
We can continue the discussion there and close this one.