---
title: "Enforce vetting for npm packages with publish date policies"
description: "You can now use the package publish date in Enterprise Policy Manager (EPM) for npm packages. This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., two weeks) after release."
canonical_url: "https://cloudsmith.com/changelog/enforce-vetting-for-npm-packages-with-publish-date-policies"
last_updated: "2025-11-05T14:03:17.272Z"
---
# Enforce vetting for npm packages with publish date policies

You can now use the **upstream publish date** in Enterprise Policy Manager (EPM) for **npm packages**. This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., two weeks) after release.

## Why this matters

Implementing policies that delay package use is an effective safeguard to protect against zero-day attacks. Enforcing a time lag before consuming a new package or package version gives the community time to find and flag any problems and for intelligence feeds to get updated.

A policy that quarantined npm packages published in the past two weeks [would have protected organizations during the September 8, 2025 npm attack](https://cloudsmith.com/blog/npm-ecosystem-alert-what-you-need-to-do-today-with-cloudsmith) which compromised widely used packages like _chalk _and _debug. _Within two hours, the community had flagged the problem, but automated CI/CD pipelines had already downloaded the latest versions, the ones containing the malicious code.

## Comprehensive defense

When used alongside an EPM policy in Cloudsmith to block or quarantine all known malicious packages, you’ll have protection against zero-day attacks and known malicious packages, ensuring these packages never make it into your software supply chain. For more security rules, check out our [Rego recipes](https://docs.cloudsmith.com/supply-chain-security/epm/rego). 

## Publish date policy example

The following Rego code defines a policy that matches and quarantines npm packages whose upstream publish date is within the last **14 days. **

```json
{
  "_key": "bb7ce9b411fe",
  "_type": "code",
  "code": "package cloudsmith\n\ndefault match := false\n\n# A package is matched if its upstream publish date is within the past N days.\nwithin_past_days := 14\nsupported_formats := {\"npm\"}\n\nmatch if count(reason) != 0\n\nreason contains msg if {\n    pkg := input.v0.package\n    within_past_days_date := time.add_date(time.now_ns(), 0, 0, 0 - within_past_days)\n    publish_date := time.parse_rfc3339_ns(pkg.upstream_metadata.published_at)\n\n    # Match if the publish date comes after the date of the set number of days ago.\n    publish_date >= within_past_days_date\n    pkg.format in supported_formats\n\n    msg := sprintf(\"Package upstream publish date is %v (falls within the past %v days)\", [pkg.upstream_metadata.published_at, within_past_days])\n}",
  "filename": null,
  "language": "rego",
  "markDefs": null
}
```

**Upstream publish date is available for npm packages**, with additional formats coming soon. Learn more in the Enterprise Policy Manager [docs](https://docs.cloudsmith.com/supply-chain-security/epm), and [contact us](https://cloudsmith.com/company/contact-us) to request early access.
