I don't know when this was added but if you use Bun in your TypeScript project, you might be familiar with bun upgrade which is a CLI tool for upgrading the packages you pin and depend on. You can now pass it a "cool down period" which means a certain package update doesn't count unless it's been published for at least X hours.

This is critical for avoiding installing compromised NPM packages. Sometimes a package gets hacked. If you were to be unlucky and upgrade to it at that window of time, you can have pinned an insecure/compromised version into your lock file. When the Axios supply chain attack happened, there was a 39 minute window when installing the latest version of axios would (potentially) sneak in the bad package version.

Now, this is how I use bun update:


bun update --interactive --minimum-release-age=86400

That means, it won't upgrade anything that hasn't sat for at least 1 day.

Comments

Your email will never ever be published.

Previous:
pytest "import file mismatch" April 1, 2026 Python
Related by category:
Bun vs. Go for a basic web server benchmark October 24, 2025 Bun
Benchmarking oxlint vs biome December 12, 2025 Bun
Testing out vite 8 on SPA: Vite 8 is 5x faster December 6, 2025 Bun
Hosting your static web site with Firebase Hosting November 3, 2025 Bun
Related by keyword:
Be very careful with your add_header in Nginx! You might make your site insecure February 11, 2018 Linux, Web development, Nginx