feat(cooldown): add cooldown feature

[SebastianSedzik]

Description

This PR introduces a new --cooldown option to ncu, inspired by Dependabot’s cooldown and pnpm’s minimumReleaseAge.

The cooldown feature reduces the risk of installing compromised packages by delaying updates to versions that were published too recently. It enforces a minimum number of days that must pass after a version’s release before it can be considered for upgrade.

Usage

ncu --cooldown [days]
ncu -c [days]

Example

Suppose your project uses version 1.0.0 of a package, and these versions are available:

• 1.0.0 – released 60 days ago
• 1.1.0 – released 45 days ago
• 1.2.0 – released 20 days ago
• 1.3.0 – released 10 days ago

Running:
ncu --cooldown 30 will upgrade to 1.1.0, since it was released 45 days ago and is the latest version outside the 30-day cooldown period. Versions 1.2.0 and 1.3.0 are skipped because they fall within the cooldown window.

Resolves: #1532

[SebastianSedzik]

question: (to foster discussion) Is cooldown the best name for this feature?

[SebastianSedzik]

question: (to foster discussion) Is days a right unit for this feature? Maybe hours will be more flexible

[SebastianSedzik]

clarification: this file is used later by unit tests related to the cooldown feature.

[raineorshine]

Thank you!

I have one initial comment about the expected behavior. The default target for npm-check-updates is whatever version is published to the latest tag. If this version was published within the specified cooldown, then we should not upgrade, as expected. However we also cannot upgrade to an earlier version, because there is no history of versions published to the latest tag. i.e. We cannot assume that v1.1 is a stable release just because v1.2 is.

In theory you could make some assumptions and use a heuristic, but the design philosophy of npm-check-updates is to strictly follow semver and choose the conservative approach when faced with ambiguity. There are packages that publish build numbers to latest, e.g. v1.1-d67a15, which is valid semver, making it harder to come up with an accurate heuristic anyway.

If --target newest or --target greatest is specified then it's safe to upgrade to another version in the list that is returned. It's just --target @TAG and --target latest (the default) that only return a single version. In that case, we have to skip the upgrade completely if it's on cooldown.