Show HN: npm-daycare, an NPM proxy that filters out recent & small packages

github.com

6 points by n2d4 10 hours ago

Hey all! npm-daycare is a simple NPM proxy built on Verdaccio which filters all packages that:

- are younger than 48h (it will just provide an old version instead)

- have fewer than 5,000 weekly downloads

https://github.com/stack-auth/npm-daycare

This is in response to the recent supply chain attacks that shattered the JavaScript ecosystem [1]. It's likely not a problem that will go away any time soon, so we figured we'd build something to protect against it.

Doing this on the proxy layer means it will work across the entire system, as proxies are set globally. In the future, we could also add more filters to the proxy.

To get started, just run the Docker container:

    docker run -d --rm --name npm-daycare -p 4873:4873 bgodil/npm-daycare

    npm set registry http://localhost:4873/
    pnpm config set registry http://localhost:4873/
    yarn config set registry http://localhost:4873/
    bun config set registry http://localhost:4873/

    npm view @types/node  # has recent updates
    npm view pgmock  # has <5,000 weekly downloads
Downside: npm-daycare won't show packages that are younger than 48h on its default config, so be aware of that when you try to update your packages to patch a zero-day exploit.

You probably also shouldn't rely on this as your only line of defense. Curious to hear what you think!

[1] https://news.ycombinator.com/item?id=45260741

bdangubic 8 hours ago

Day is September 16, 2026. Top story on HN, “wildly popular npm-daycare with 7 billion daily downloads hacked” :-)

  • n2d4 8 hours ago

    Well, least it's in a Docker container and not an auto-updating binary on your computer :]