Show HN: Safe-NPM – only install packages that are +90 days old

Description

Package Manager

Show HN: Safe-NPM – only install packages that are +90 days old This past quarter has been awash with sophisticated npm supply chain attacks like [Shai-Hulud](https://www.cisa.gov/news-events/alerts/2025/09/23/widesprea...() and the [Chalk/debug Compromise](https://www.wiz.io/blog/widespread-npm-supply-chain-attack-b...). This CLI helps protect users from recently compromised packages by only downloading packages that have been public for a while (default is 90 days or older).

Install: npm install -g @dendronhq/safe-npm Usage: safe-npm install react@^18 lodash

How it works: - Queries npm registry for all versions matching your semver range - Filters out anything published in the last 90 days - Installs the newest "aged" version

Limitations: - Won't protect against packages malicious from day one - Doesn't control transitive dependencies (yet - looking into overrides) - Delays access to legitimate new features

This is meant as a 80/20 measure against recently compromised NPM packages and is not a silver bullet. Please give it a try and let me know if you have feedback.

Swapping two blocks of memory inside a larger block, in constant memory

Ed25519-CLI – command-line interface for the Ed25519 signature system

Microsoft kills IntelliCode in favor of the paid Copilot

Show HN: Build the habit of writing meaningful commit messages

Show HN: Build the habit of writing meaningful commit messages Too often I find myself being lazy with commit messages. But I don't want AI to write them for me... only i truly know why i wrote the code i did.<p>So why don't i get AI to help me get that into words from my head?<p>That's what i built: smartcommit asks you questions about your changes, then helps you articulate what you already know into a proper commit message. Captures the what, how, and why.<p>Built this after repeatedly being confused 6 months in a project as to why i made the change i had made...<p>Would love feedback!