suggestion: add a release age policy option to deno update and deno outdated #30751
Description
I suggest adding a release age policy option for deno update and deno outdated. This is expected to function as a fail-safe mechanism when npm or JSR dependencies contain packages compromised by supply chain attacks.
Due to the release of malicious versions in popular npm packages like nx, pnpm has added a minimumReleaseAge option:
The new setting is called minimumReleaseAge. It specifies the number of minutes that must pass after a version is published before pnpm will install it. For example, setting
minimumReleaseAge: 1440ensures that only packages released at least one day ago can be installed.
https://pnpm.io/blog/releases/10.16#new-setting-for-delayed-dependency-updates
This option addition is also being discussed in other package managers:
npm: npm/rfcs#646
yarn: yarnpkg/berry#6899