Zero-Day Safety Delay

Configure a safety delay so newly published package versions are held for a set number of days, giving the ecosystem time to surface zero-day attacks before your developers can install them.

Book a Demo

Most supply chain attacks exploit a short detection window

When a maintainer account is hijacked or a malicious package is published, it takes hours to days for security feeds to flag it. Any install during that window is exposed.

  • Automated updates pull compromised versions immediately

    A pipeline or dependency bot update runs and pulls a new version while it is still undetected.

  • Security feeds lag behind the publish event

    Detection of malicious packages typically takes hours to days after they appear on public registries.

  • No friction between a bad publish and your build

    Nothing in the default package manager flow creates a pause for community review.

What your team gets

  • New versions held before reaching developers

    Configurable delay per ecosystem. Versions become available only after the window passes.

  • Builds are not broken during the hold window

    The most recent allowed version is served automatically. Developers do not see missing packages.

  • Delay configurable per registry or ecosystem

    Set 7 days for npm, 14 days for Maven, or whatever matches your risk tolerance.

  • Override with a time-limited exception when needed

    If a specific new version is required urgently, grant an exception. It is logged for audit.

How Dependency Firewall handles this

Dependency Firewall's delay policy holds newly published versions for a configurable period and serves the most recent allowed version in the meantime.

  • Configurable delay per registry or ecosystem
  • Automatic fallback to the latest allowed version
  • Exception grants logged for audit
See Dependency Firewall See pricing

Built for the teams involved

  • Security teams

    Set the delay once per ecosystem. Zero-day attacks are held out of developer environments without ongoing manual monitoring.

  • DevOps engineers

    Existing pipelines are not interrupted. The latest safe version is served automatically when a held version would have been fetched.

What changes in practice

  • Supply chain attacks detected before reaching developers

    The community has time to surface the attack before your developers can install the compromised version.

  • No build disruption during the hold window

    Builds receive the latest safe version automatically.

Questions about this use case

What if we need a specific new version urgently?

Grant a time-limited exception for the specific package. The exception is logged for audit.

Does the delay apply to internal packages too?

Configurable per upstream. Typically applied to public registry upstreams only.

Talk to us about zero-day safety delay.

We can walk through the product fit for your environment and where each Observer product fits.

Book a Demo