Add Support for Minimum Package Age

[kbaltrinic]

pnpm recently added a minimumReleaseAge setting to help defend against supply-chain attacks. uv and certain other package managers have similar features. However it would be much better if we could manage this centrally at our proxy. This request is to implement a setting for proxy repositories that cause them to only proxy packages that are of a configurable minimum age. Ideally this would also include:

• (Important) A Break Glass feature to override this for specific packages/versions (for addressing zero-day situations w/o having to disable the minimum age feature for everything).
• (Nice to have) A Line-in-the-sand feature where, in the face of a worm-style self-perpetuating attack, we can replace minimum-age with a hard date, i.e. proxy no packages new than date/time. This would help in the situation where there are so many potential compromises that even with say a 72 hr minimum age, its possible that not all packages get found and removed in that time frame. Switching to a date/time 12 hrs prior to the first known compromise until things settle down would be a nice to have in this case.

[mpiggott]

Hi @kbaltrinic I believe that you could achieve this sort of policy today with Nexus Repository Manager and Sonatype Repository Firewall by creating a policy for the catalog date.

[kbaltrinic]

I agree that the firewall can likely solve this problem but that's a very expensive solution for some of us. Given the regularity with which these attacks are now occurring, I believe there is an argument to be made that at least some basic protection capability should to available in the free and open source offerings.