Proposal: set default min-release-age to 7 days

### Is there an existing issue for this?

- [x] I have searched the existing issues

### This issue exists in the latest npm version

- [x] I am using the latest npm

### Current Behavior

In light of the recent cline2.3 injection attack I would like to propose that the default of "min-release-age" be set to seven days. 

(see: https://github.com/cline/cline/security/advisories/GHSA-9ppg-jx86-fqw7 
and: https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another )

Per https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns the majority of compromised/malicious NPM packages are detected and remediated within hours or a small number of days. 

While anyone can set that number to whatever they want, I believe that defaulting min-release-age to a generous safety margin would effectively mitigate a great deal of ecosystem risk at negligible cost.

### Expected Behavior

_No response_

### Steps To Reproduce

_No response_

### Environment

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proposal: set default min-release-age to 7 days #9068

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

Expected Behavior

Steps To Reproduce

Environment

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Proposal: set default min-release-age to 7 days #9068

Description

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

Expected Behavior

Steps To Reproduce

Environment

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions