[RRFC] expanding behavior of --before to support date adjustment and setting via config #559
Description
Motivation ("The Why")
--before is an excellent feature for reliability as being able to run install in a project "as if it were in the past"... it has an additional benefit in that it can be used to create a temporary delay in what you are consuming from the registry which can offer a level of protection from a supply chain attack. Utilizing a bit of unix ingenuity we can do something fancy like the below to enforce all installs to have a 7 day delay, potentially protecting you from a supply chain attack (which are often dealt with relatively quickly) without having to pin dependencies in a way that may make you susceptible to unpatched known vulnerabilities.
npm install --before="$(date -v -7d)"
Date has pretty expansive syntax for setting date adjustment specifically
If val is numeric, one of either y, m, w, d, H, M or S must be used to specify which part of the
date is to be adjusted.
It would be great if we could pass this type of syntax directly to --before, or another similar flag, to allow support in a platform independent way (the above solution wouldn't work on windows).
Further it would be amazing if we could set this as a configuration in a global or local .npmrc allow developers to manage this at a project or system level.
Example
npm install --before-relative 7d
npm install --before-relative 30M
npm install --before-relative 1y
How
Current Behaviour
I believe this is covered above
Desired Behaviour
I believe this is covered above