I don't know when this was added but if you use Bun in your TypeScript project, you might be familiar with bun upgrade which is a CLI tool for upgrading the packages you pin and depend on. You can now pass it a "cool down period" which means a certain package update doesn't count unless it's been published for at least X hours.

This is critical for avoiding installing compromised NPM packages. Sometimes a package gets hacked. If you were to be unlucky and upgrade to it at that window of time, you can have pinned an insecure/compromised version into your lock file. When the Axios supply chain attack happened, there was a 39 minute window when installing the latest version of axios would (potentially) sneak in the bad package version.

Now, this is how I use bun update:


bun update --interactive --minimum-release-age=86400

That means, it won't upgrade anything that hasn't sat for at least 1 day.

Comments

Your email will never ever be published.

Previous:
pytest "import file mismatch" April 1, 2026 Python
Next:
html-getter - A powerfully simple HTML scraper in Bun April 17, 2026 Bun, macOS, TypeScript
Related by category:
Bun vs. Go for a basic web server benchmark October 24, 2025 Bun
Benchmarking oxlint vs biome December 12, 2025 Bun
Bun WebView is eating up my tmp storage April 29, 2026 Bun
Testing out vite 8 on SPA: Vite 8 is 5x faster December 6, 2025 Bun
Related by keyword:
Be very careful with your add_header in Nginx! You might make your site insecure February 11, 2018 Linux, Web development, Nginx