Added Delay Upstream - only allow new packages after a safety period

The Delay Upstream policy prevents newly published packages from being added to a Bytesafe registry until a set delay (in days) has passed. Until then such a new version will not be allowed from external upstream like npmjs or maven central.

It’s common to automatically pull the latest versions of packages from public upstreams, regardless of version maturity, especially in automated environments like CI/CD pipelines. But with popular packages often being targets for attacks, there is every reason to be cautious and only allow new packages after a set safety period.

Customize the safety delay to match your organizations needs

The delay time is completely customizable per registry in your workspace, up to the maximum of 90 days.

Allowing users to find the right balance between security and access to new functionality - as well as adjusting it to their needs per ecosystem.

Customize the safety delay in Delay Upstream policy settings

Enable the policy and set the delay in the Plugins settings for either an npm or maven registry in Bytesafe.

Looking for more information?

Read more on how to stay safe & avoid compromised new version in our blog. Want to know more about Bytesafe policies, see the Delay Upstream specifics in our docs.