feat: add maturity period option to filter newly released packages (#205)

runyasak · antfu · web-flow · commit bb2225594e68 · 2025-09-08T12:13:00.000+09:00
Co-authored-by: Anthony Fu &lt;anthonyfu117@hotmail.com&gt;
Co-authored-by: Anthony Fu &lt;github@antfu.me&gt;
diff --git a/src/cli.ts b/src/cli.ts
@@ -36,6 +36,7 @@ cli
   .option('--timediff', 'show time difference between the current and the updated version')
   .option('--nodecompat', 'show package compatibility with current node version')
   .option('--peer', 'Include peerDependencies in the update process')
+  .option('--maturity-period [days]', 'wait period in days before upgrading to newly released packages (default: 7 when flag is used, 0 when not used)')
   .action(async (mode: RangeMode | undefined, options: Partial<CheckOptions>) => {
     if (mode) {
       if (!MODE_CHOICES.includes(mode)) {
@@ -44,6 +45,11 @@ cli
       }
       options.mode = mode
     }
+
+    if ('maturityPeriod' in options && typeof options.maturityPeriod !== 'number') {
+      options.maturityPeriod = 7
+    }
+
     const resolved = await resolveConfig(options)
 
     let exitCode
diff --git a/src/commands/check/interactive.ts b/src/commands/check/interactive.ts
@@ -142,8 +142,8 @@ export async function promptInteractive(pkgs: PackageMeta[], options: CheckOptio
     dep: ResolvedDepChange,
   ): InteractiveRenderer {
     const versions = Object.entries({
-      minor: getVersionOfRange(dep, 'minor'),
-      patch: getVersionOfRange(dep, 'patch'),
+      minor: getVersionOfRange(dep, 'minor', options),
+      patch: getVersionOfRange(dep, 'patch', options),
       ...dep.pkgData.tags,
     })
       .map(([name, version]) => {
diff --git a/src/constants.ts b/src/constants.ts
@@ -40,4 +40,5 @@ export const DEFAULT_CHECK_OPTIONS: CheckOptions = {
   group: true,
   includeLocked: false,
   nodecompat: true,
+  maturityPeriod: 0,
 }
diff --git a/src/io/resolves.ts b/src/io/resolves.ts
@@ -11,7 +11,7 @@ import { getPackageMode } from '../utils/config'
 import { getNpmConfig } from '../utils/npm'
 import { parsePnpmPackagePath, parseYarnPackagePath } from '../utils/package'
 import { fetchJsrPackageMeta, fetchPackage } from '../utils/packument'
-import { filterDeprecatedVersions, getMaxSatisfying, getPrefixedVersion } from '../utils/versions'
+import { filterDeprecatedVersions, filterVersionsByMaturityPeriod, getMaxSatisfying, getPrefixedVersion } from '../utils/versions'
 
 const debug = {
   cache: _debug('taze:cache'),
@@ -94,18 +94,24 @@ export async function getPackageData(name: string, protocol: Protocol = 'npm'):
   }
 }
 
-export function getVersionOfRange(dep: ResolvedDepChange, range: RangeMode) {
-  const { versions, tags, deprecated } = dep.pkgData
+export function getVersionOfRange(dep: ResolvedDepChange, range: RangeMode, options: CheckOptions) {
+  const { versions, tags, deprecated, time } = dep.pkgData
 
-  const nonDeprecatedVersions = deprecated && Object.keys(deprecated).length > 0
-    ? filterDeprecatedVersions(versions, deprecated)
-    : versions
+  let filteredVersions = versions
 
-  if (nonDeprecatedVersions.length === 0) {
+  if (deprecated && Object.keys(deprecated).length > 0) {
+    filteredVersions = filterDeprecatedVersions(filteredVersions, deprecated)
+  }
+
+  if (options.maturityPeriod && options.maturityPeriod > 0) {
+    filteredVersions = filterVersionsByMaturityPeriod(filteredVersions, time, options.maturityPeriod)
+  }
+
+  if (filteredVersions.length === 0) {
     return undefined
   }
 
-  return getMaxSatisfying(nonDeprecatedVersions, dep.currentVersion, range, tags)
+  return getMaxSatisfying(filteredVersions, dep.currentVersion, range, tags)
 }
 
 export function updateTargetVersion(
@@ -249,7 +255,7 @@ export async function resolveDependency(
         return dep
       }
 
-      target = getVersionOfRange(dep, mergeMode as RangeMode)
+      target = getVersionOfRange(dep, mergeMode as RangeMode, options)
 
       if (!target) {
         dep.diff = null
diff --git a/src/types.ts b/src/types.ts
@@ -157,6 +157,13 @@ export interface CheckOptions extends CommonOptions {
    * @default true
    */
   nodecompat?: boolean
+  /**
+   * Wait period in days before upgrading to newly released packages
+   * This helps avoid potentially malicious packages released recently
+   *
+   * @default 0 (no waiting period)
+   */
+  maturityPeriod?: number
 }
 
 interface BasePackageMeta {
diff --git a/src/utils/versions.ts b/src/utils/versions.ts
@@ -104,3 +104,28 @@ export function getMaxSatisfying(versions: string[], current: string, mode: Rang
 export function filterDeprecatedVersions(versions: string[], deprecated: Record<string, string | boolean>): string[] {
   return versions.filter(version => !deprecated[version])
 }
+
+export function filterVersionsByMaturityPeriod(
+  versions: string[],
+  time: Record<string, string> | undefined,
+  maturityPeriodDays: number,
+): string[] {
+  if (!time || maturityPeriodDays <= 0) {
+    return versions
+  }
+
+  const now = new Date()
+  const cutoffDate = new Date(now.getTime() - (maturityPeriodDays * 24 * 60 * 60 * 1000))
+
+  return versions.filter((version) => {
+    const versionTime = time[version]
+    if (!versionTime) {
+      return true
+    }
+
+    const releaseDate = new Date(versionTime)
+    const isMature = releaseDate < cutoffDate
+
+    return isMature
+  })
+}
diff --git a/test/versions.test.ts b/test/versions.test.ts
@@ -1,6 +1,6 @@
 import { expect, it } from 'vitest'
 import { getPackageData } from '../src/io/resolves'
-import { filterDeprecatedVersions, getMaxSatisfying, getVersionRangePrefix } from '../src/utils/versions'
+import { filterDeprecatedVersions, filterVersionsByMaturityPeriod, getMaxSatisfying, getVersionRangePrefix } from '../src/utils/versions'
 
 it('getVersionRange', () => {
   expect('~').toBe(getVersionRangePrefix('~1.2.3'))
@@ -129,3 +129,24 @@ it('deprecated filter', () => {
   const noDeprecated = filterDeprecatedVersions(versions, {})
   expect(noDeprecated).toEqual(versions)
 })
+
+it('maturity period filter', () => {
+  const now = new Date()
+  const oneDayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1000)
+  const eightDaysAgo = new Date(now.getTime() - 8 * 24 * 60 * 60 * 1000)
+
+  const versions = ['1.0.0', '1.1.0', '2.0.0']
+  const time = {
+    '1.0.0': eightDaysAgo.toISOString(),
+    '1.1.0': oneDayAgo.toISOString(),
+    '2.0.0': now.toISOString(),
+  }
+
+  // Test with 7 days - should filter out recent versions
+  const filtered = filterVersionsByMaturityPeriod(versions, time, 7)
+  expect(filtered).toEqual(['1.0.0'])
+
+  // Test with 0 days - should return all versions
+  const noFilter = filterVersionsByMaturityPeriod(versions, time, 0)
+  expect(noFilter).toEqual(versions)
+})

Original file line number	Diff line number	Diff line change
`@@ -40,4 +40,5 @@ export const DEFAULT_CHECK_OPTIONS: CheckOptions = {`
`40`	`40`	`group: true,`
`41`	`41`	`includeLocked: false,`
`42`	`42`	`nodecompat: true,`
	`43`	`+ maturityPeriod: 0,`
`43`	`44`	`}`