Dependency cooldowns have become the most widely adopted supply chain security feature of 2026. Every major package manager from npm to pip now ships some form of this protection. The premise is simple: wait 3-7 days after a package release before updating, allowing others to discover malicious versions first. But Cal Paterson’s provocative March 2026 critique argues this popular practice is ethically broken – your security comes at someone else’s expense.
Your Security Depends on Someone Else Getting Burned
Dependency cooldowns work by turning early adopters into unwitting beta testers. They discover attacks while cooldown users stay protected – a free-rider dynamic where individual rationality produces collective harm. Paterson puts it bluntly: “You’re relying on other people to suffer the consequences so you can stay safe. It’s individually rational, collectively bonkers.”
March 2026 validated this uncomfortably. LiteLLM’s compromised versions harvested AWS, GCP, and Azure credentials from 3.4 million daily downloads. Those without cooldowns paid the price. The TeamPCP threat group’s malicious code ran in production environments before being detected and yanked – exactly the scenario dependency cooldowns are designed to avoid. But avoiding it meant someone else had to trigger the alarm first.
The ethical problem is clear: if everyone uses cooldowns, who discovers the attacks? The model assumes a population of non-cooldown users willing to take on disproportionate risk. That’s an unsustainable security architecture masquerading as best practice.
80% of Attacks Stopped by 7-Day Cooldowns
Despite the ethics, cooldowns demonstrably work. William Woodruff examined 10 high-profile supply chain attacks and found 8 of 10 (80%) had windows of opportunity under 7 days before detection. March 2026’s attack wave validated this: LiteLLM (March 26), Telnyx SDK, and axios (March 30) were all detected and yanked within days.
Related: WordPress Plugin Backdoor: 30+ Plugins Supply Chain Attack
The axios compromise hit hardest. Over 100 million weekly npm downloads, account takeover on a lead maintainer, two poisoned versions delivering a Remote Access Trojan. Detected quickly, yanked fast. A standard 7-day cooldown would have blocked it entirely. The same pattern held for LiteLLM’s credential harvesting and Telnyx’s backdoor hidden in WAV files – short attack windows before security researchers caught them.
The effectiveness is real. Attacks have narrow windows because security vendors scan aggressively, communities report suspicious behavior fast, and registries yank compromised versions quickly. Package manager cooldowns exploit this existing detection infrastructure without requiring centralized changes. Zero implementation cost, 80% protection. The pragmatic case is overwhelming.
Upload Queues Could Solve the Ethics Problem
Cal Paterson proposes “upload queues” as an ethically superior alternative. New releases wait N days at the registry level before public availability – similar to Debian’s unstable → testing → stable progression. Security scanning, public diffs, and beta testing happen during the queue period. Nobody suffers disproportionately because the delay is centralized, not offloaded to random early adopters.
Debian has run this model for over 20 years. Packages move through unstable (immediate), testing (10-day delay with automated checks), and stable (vetted) repositories. Paterson argues npm, PyPI, and RubyGems could implement similar staging. Funding could come from paid expedited reviews for commercial entities willing to pay for faster promotion.
Upload queues eliminate free-rider dynamics while maintaining protection. The challenge isn’t technical – it’s political and governance. Registries must agree to implement delays, developers must accept slower access to bleeding-edge releases, and someone needs to fund the infrastructure. It’s the better solution but far harder to execute than end-user configuration files.
Ecosystem Adopted Fast Despite Ethical Concerns
Between September 2025 and February 2026, every major package manager shipped dependency cooldown support. pnpm (v10.16), Yarn (v4.10), and Bun (v1.3) added it in September 2025. npm (v11.10.0) followed in February 2026. uv (v0.9.17) and Deno (v2.6) joined in late 2025. The ecosystem converged in six months.
Configuration is fragmented but functional. npm uses min-release-age (days). pnpm counts minutes: minimumReleaseAge: 4320 (3 days × 24 hours × 60 minutes). Bun measures seconds: minimumReleaseAge = 259200. uv accepts human-readable durations: exclude-newer = “3 days”. Different names, different time units, same protection.
# .npmrc
min-release-age=7# pyproject.toml
[tool.uv]
exclude-newer = "3 days"Related: North Korea’s 1,700 Malicious Packages: Supply Chain Crisis
Mend Renovate went further – making 3-day cooldowns the default for npm packages. Opt-out, not opt-in. That shift signals where the industry landed: cooldowns are the norm now, not an optional hardening measure.
The speed of adoption shows the pragmatic appeal outweighed ethical discomfort. Supply chain attacks spiked in late 2025 and early 2026. The ecosystem needed defenses fast. Cooldowns delivered 80% protection with zero infrastructure cost. The ethics can wait – or so the industry decided.
The Divided Community
The Hacker News discussion today (87 points, 46 comments) reveals genuine division. Developers prioritizing stability accept cooldowns despite free-rider concerns. Others argue delays leave systems vulnerable to known CVEs during the cooldown window – trading unknown malicious code risk for known vulnerability exposure.
Language ecosystems matter. Java developers report smoother updates than Node.js developers, shaping their tolerance for delays. Most agree on nuance: bypass cooldowns for disclosed security patches, but delay routine updates. The split isn’t about technical effectiveness – it’s about values. Do you optimize individual security at collective cost, or accept higher personal risk for ecosystem health?
The pragmatic camp wins for now. Cooldowns are everywhere. But Paterson’s critique lingers. We’re all complicit in a system where early adopters subsidize everyone else’s safety. That’s not sustainable long-term, even if it works today.
Key Takeaways
- Dependency cooldowns turn early adopters into unwitting beta testers who discover attacks so cooldown users stay safe – a free-rider dynamic that’s “individually rational, collectively bonkers”
- 80% of supply chain attacks have <7 day windows before detection (William Woodruff), validated by March 2026’s LiteLLM, Telnyx, and axios compromises that would have been stopped
- Upload queues (Debian model) could eliminate free-riding by centralizing delays at registry level, enabling security scanning before public release – but require registry cooperation
- All major package managers (npm, pnpm, Yarn, Bun, uv, Deno) shipped cooldowns in 6 months (Sept 2025 – Feb 2026), with Mend Renovate making 3-day minimums the default
- Use cooldowns now for pragmatic protection, but advocate for upload queues as the ethically superior long-term solution – the current model isn’t sustainable if everyone adopts it
