Cool-down policy (recently published packages)

Overview

The recentlyPublished alert flags package versions whose publish date falls within a configurable time window. New releases concentrate the highest supply chain risk: maintainer account takeovers, malware, and regrettable changes are most often caught and reverted in the first days after publication. A cool-down period gives the wider community time to vet a release before your developers pull it in.

Severity: Medium
Category: Supply Chain Risk
Alert key: recentlyPublished
Default threshold: 7 days

Configure the threshold

Go to Settings → Alerts → Scans in the Socket dashboard.

Field	Default	Range
Recently Published Alert Threshold	7 days	0 to 365 days

Set the value to 0 to disable the alert entirely. The threshold is org-wide and applies to every ecosystem Socket scans.

How `publishedAt` is sourced per ecosystem

Each recentlyPublished alert carries a publishedAt value pulled from Socket's metadata for that package version. The source field varies because each registry exposes release timestamps differently.

Ecosystem	Source	Field represents
npm	`registry.npmjs.org/<pkg>`	Publish time (ms epoch)
PyPI	`pypi.org/pypi/<pkg>/json`	File upload time (ISO 8601)
Maven	Sonatype Central index	Artifact's last-modified-timestamp on the index
Cargo	`crates.io/api/v1/crates/<pkg>`	Crate publish time (ISO 8601)
RubyGems	`rubygems.org/api/v1/gems/<pkg>/versions/<v>.json`	Gem build time (ISO 8601)
NuGet	`api.nuget.org/v3/catalog0/*`	Catalog publish time (ISO 8601)
Go	`proxy.golang.org/<mod>/@v/<v>.info`	Module version timestamp
Conda	Anaconda / conda-forge channel index	Package timestamp (Unix seconds)
OpenVSX	`open-vsx.org/api/<ns>/<ext>/versions`	Extension publish time (ISO 8601)

For Maven, Socket rolls up publishedAt to the minimum across an artifact's files (jar, pom, sources, javadoc, checksums) and the minimum across a package's versions. The maintenance backfill only lowers a stored timestamp; it never raises one.

Triage individual blocks

When a package trips recentlyPublished and you need to override it, create an Alert Triage rule under Settings → Security Policy → Alert Triage.

Action choices

Action	Effect	Visibility
`monitor`	Does not block	Alert still appears in Socket. Block reason is not emitted by firewall.
`ignore`	Does not block	Alert is suppressed from the Socket API response.

monitor retains the signal that the package hit the cool-down window. ignore removes it.

Scope choices

Scope pattern	Matches	Trade-off
`pkg:maven/io.example/[email protected]`	This version only	Narrowest. Next version bump requires a new rule.
`pkg:maven/io.example/foo@*`	All versions of this package	Covers version bumps. Future versions of this package bypass cool-down.
`pkg:maven/io.example/*`	All packages under this group	Covers sibling packages. Bypasses cool-down across the vendor.

For ecosystem-wide adjustments, change the default recentlyPublished action in Security Policy instead of writing per-package rules.

What a triage rule does not cover

Other alert types on the same package. Only recentlyPublished is overridden.
Transitive packages. Each transitive dependency is evaluated independently and needs its own rule if you want to bypass cool-down for it.

Interaction with Socket Firewall

The Socket API computes the alert's action (error, warn, monitor, ignore) from the org's policy and the stored publishedAt. Socket Firewall consumes that action and blocks the request when it is error. The threshold itself is not configured in firewall config.

A package whose publishedAt is older than the threshold gets recentlyPublished with action ignore (or no alert at all). Younger packages get the configured action.

📝 Effect timing: Triage rule changes apply on the next cache miss for a matched package in the firewall. Entries already in cache continue to return the previous decision until they expire.