The Delay Upstream policy prevents newly published packages from being added to a Bytesafe registry until a set delay (in days) has passed. Until then such a new version will not be allowed from external upstream like npmjs or maven central.
It’s common to automatically pull the latest versions of packages from public upstreams, regardless of version maturity, especially in automated environments like CI/CD pipelines. But with popular packages often being targets for attacks, there is every reason to be cautious and only allow new packages after a set safety period.
Customize the safety delay to match your organizations needs
The delay time is completely customizable per registry in your workspace, up to the maximum of 90 days.
Allowing users to find the right balance between security and access to new functionality - as well as adjusting it to their needs per ecosystem.