diff --git a/home/base/core/npm.nix b/home/base/core/npm.nix
index 62f09acd..8d3c8f04 100644
--- a/home/base/core/npm.nix
+++ b/home/base/core/npm.nix
@@ -1,9 +1,14 @@
 { config, ... }:
 {
-  # 1. make `npm install -g <pkg>` happey
-  # 2. set min-release-age(in days) for security
+  # make `npm install -g <pkg>` happey
+  # npm - set min-release-age(in days) for supply-chain security
   home.file.".npmrc".text = ''
     prefix=${config.home.homeDirectory}/.npm
     min-release-age=2
   '';
+
+  # npm - set min release age (in minutes) for supply-chain security
+  xdg.configFile."pnpm/config.yaml".text = ''
+    minimumReleaseAge: 2880
+  '';
 }
diff --git a/home/base/core/pip.nix b/home/base/core/pip.nix
index 520f68a8..19237441 100644
--- a/home/base/core/pip.nix
+++ b/home/base/core/pip.nix
@@ -1,7 +1,14 @@
 _: {
-  # use mirror for pip install
+  # use pypi mirror
+  # filter packages via upload time for supply-chain security
   xdg.configFile."pip/pip.conf".text = ''
     [global]
     index-url = https://mirrors.bfsu.edu.cn/pypi/web/simple
+
+    [install]
+    uploaded-prior-to = P2D
+  '';
+  xdg.configFile."uv/uv.toml".text = ''
+    exclude-newer = "2 days"
   '';
 }