You can now use the upstream publish date in Enterprise Policy Manager (EPM) for npm packages. This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., two weeks) after release.
Implementing policies that delay package use is an effective safeguard to protect against zero-day attacks. Enforcing a time lag before consuming a new package or package version gives the community time to find and flag any problems and for intelligence feeds to get updated.
A policy that quarantined npm packages published in the past two weeks would have protected organizations during the September 8, 2025 npm attack which compromised widely used packages like chalk and debug. Within two hours, the community had flagged the problem, but automated CI/CD pipelines had already downloaded the latest versions, the ones containing the malicious code.
When used alongside an EPM policy in Cloudsmith to block or quarantine all known malicious packages, you’ll have protection against zero-day attacks and known malicious packages, ensuring these packages never make it into your software supply chain. For more security rules, check out our Rego recipes.
The following Rego code defines a policy that matches and quarantines npm packages whose upstream publish date is within the last 14 days.
package cloudsmith
default match := false
# A package is matched if its upstream publish date is within the past N days.
within_past_days := 14
supported_formats := {"npm"}
match if count(reason) != 0
reason contains msg if {
pkg := input.v0.package
within_past_days_date := time.add_date(time.now_ns(), 0, 0, 0 - within_past_days)
publish_date := time.parse_rfc3339_ns(pkg.upstream_metadata.published_at)
# Match if the publish date comes after the date of the set number of days ago.
publish_date >= within_past_days_date
pkg.format in supported_formats
msg := sprintf("Package upstream publish date is %v (falls within the past %v days)", [pkg.upstream_metadata.published_at, within_past_days])
}Upstream publish date is available for npm packages, with additional formats coming soon. Learn more in the Enterprise Policy Manager docs, and contact us to request early access.
Cloudsmith’s Enterprise Policy Manager (EPM) now leverages Software Bill of Materials (SBOM) data to enable powerful, component-level policies for Docker and OCI container images…
You can now better assess a vulnerability's impact by exploring its key details directly within the vulnerabilities table for a package or container. We've introduced an expanded row layout that shows all available information for a specific finding, helping you make more informed decisions about your response. Additionally, we’ve added CVSS score…
We’ve recently released a set of improvements across the Cloudsmith web app focused on logs, error messaging, and usability…
Monitoring the software licenses in use across your organization is critical, and could help you avoid costly re-work in the future. Cloudsmith's web app now gives you a breakdown of your packages by license, and lists packages with no apparent software license…
You can now use Cloudsmith to proxy and cache packages from public Conda channels (upstreams). This update helps you create a single, reliable source of truth for all your Conda packages, combining your private packages with cached versions of the public upstreams you depend on…
Starting October 16, 2025, the Client Logs and Client Statistics views in the classic web app will remain visible but will no longer receive updated data…
