[Feature-request/discussion] Ability to set minimum maturity (in days) of versions to upgrade

[limonte]

• I have searched for similar issues
• I am using the latest version of npm-check-updates
• I am using node >= 14

New feature motivation

Late Saturday evening I was thinking about lovely ... npm dependencies and their security in particular. And my thoughts seem to be either unusual or simply foolish because I couldn't find anything related in yarn/npm or in npm-check-updates.

When a vulnerability is introduced to an npm package, it takes at least several days to discover the vulnerability and to report the vulnerable release to security databases (npm, Snyk, dependabot, etc.)

Because of that reason, it would make sense for developers to use 3rd party dependencies with version that matches these conditions:

1. as latest as possible (the obvious one)
2. free from vulnerabilities, i.e. not present in npm/Snyk/dependabot security databases
3. X days mature, because of the reason mentioned above - it takes time to discover and report vulnerabilities

New feature description

It would be nice to be able to set the minimal maturity for the version to upgrade, for example, if for the some-cool-package two new versions are available, one was released 10 days ago and another one was released 1 hour ago, it'd be safer to upgrade to the older one because the one that was just released has bigger chance to be vulnerable.

New feature implementation

The parameter which would set minimum maturity required for versions, possibly in days. But the implementation is something to discuss further if what I'm proposing does make sense to you.

Thank you!

[raineorshine]

Great suggestion. There is an existing proposal for this feature in #833. Please continue discussion there. PR's are welcome. Thank you!

[limonte]

Oh, I'm not the first one to think about this. Thank you for pointing me to the existing thread, I should've found it.