NPM registry: provide a time-Block with timestamp information in the package metadata response

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Release notes

Add timestamp information to the NPM registry. This includes a created and modified timestamp for the package and a timestamp for each released version. This information is included in other npm registry implementations and is required for e.g. renovatebot's "Minimum Release Age" feature.

Problem to solve

Renovatebot and most probably also other tools to manage dependencies make use of the timestamp fields to allow for delaying automated upgrades of newly released packages (see https://docs.renovatebot.com/key-concepts/minimum-release-age/ for details). Renovate config has recently switched to ignore packages with no timestamp information for security reasons, whereas before it silently just upgraded them.

Proposal

Add the time-block to the response as in curl -s https://registry.npmjs.org/tiny-tarball | jq '.time'

{
  "modified": "2022-06-27T07:01:30.945Z",
  "created": "2015-03-24T00:12:24.039Z",
  "1.0.0": "2015-03-24T00:12:24.039Z"
}

Intended users

Sasha, Alex and maybe others

Feature Usage Metrics

none

Does this feature require an audit event?

PM: @trizzi

Edited Feb 02, 2026 by 🤖 GitLab Bot 🤖