Did you check the docs?
Is your feature request related to a problem? Please describe.
Neovim plugins with shell-level access represent a real supply chain attack surface. Currently, lazy.nvim will apply updates as soon as a new commit or release is available, meaning a compromised plugin could reach users before the community has had time to detect and respond to it.
Describe the solution you'd like
A minimumReleaseAge option (global and/or per-plugin) that delays applying updates until a release has been published for at least N days.
This pattern has seen broad adoption across the package manager ecosystem:
Andrew Nesbitt recently surveyed the full landscape in detail: https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html
The security rationale is concrete: of ten supply chain attacks studied, eight had windows of opportunity under one week. A modest 3–7 day delay would have blocked the majority of them.
A reasonable API might look like:
require("lazy").setup({
checker = {
enabled = true,
minimum_release_age = "7d", -- 7 days
},
})With per-plugin override, including opting out for trusted plugins and their dependency trees:
{
"nvim-telescope/telescope.nvim",
minimum_release_age = nil, -- trust this plugin and pull updates immediately
dependencies = {
"nvim-lua/plenary.nvim", -- inherits minimum_release_age = nil from parent
{ "nvim-tree/nvim-web-devicons", minimum_release_age = "3d" }, -- explicit override
},
},Describe alternatives you've considered
- Pinning to specific commits or tags. Works but requires manual maintenance per plugin.
version = "*". Restricts to tagged releases only, but doesn't enforce any age gate.- Reviewing diffs before every
:Lazy update. Reasonable practice but doesn't scale and doesn't help with transitive updates.
Note that issue #2081 covered the same request but was closed without explanation 5 months ago. Raising again given the significant ecosystem momentum around this pattern since then.
Additional context
No response
Did you check the docs?
Is your feature request related to a problem? Please describe.
Neovim plugins with shell-level access represent a real supply chain attack surface. Currently, lazy.nvim will apply updates as soon as a new commit or release is available, meaning a compromised plugin could reach users before the community has had time to detect and respond to it.
Describe the solution you'd like
A
minimumReleaseAgeoption (global and/or per-plugin) that delays applying updates until a release has been published for at least N days.This pattern has seen broad adoption across the package manager ecosystem:
Andrew Nesbitt recently surveyed the full landscape in detail: https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html
The security rationale is concrete: of ten supply chain attacks studied, eight had windows of opportunity under one week. A modest 3–7 day delay would have blocked the majority of them.
A reasonable API might look like:
With per-plugin override, including opting out for trusted plugins and their dependency trees:
{ "nvim-telescope/telescope.nvim", minimum_release_age = nil, -- trust this plugin and pull updates immediately dependencies = { "nvim-lua/plenary.nvim", -- inherits minimum_release_age = nil from parent { "nvim-tree/nvim-web-devicons", minimum_release_age = "3d" }, -- explicit override }, },Describe alternatives you've considered
version = "*". Restricts to tagged releases only, but doesn't enforce any age gate.:Lazy update. Reasonable practice but doesn't scale and doesn't help with transitive updates.Note that issue #2081 covered the same request but was closed without explanation 5 months ago. Raising again given the significant ecosystem momentum around this pattern since then.
Additional context
No response