Dependency cooldowns — waiting N days before adopting a new package version to avoid supply chain attacks — are gaining popularity, but the author argues they create a free-rider problem: those who configure cooldowns rely on unconfigured users getting hacked first to surface malicious releases. The proposed alternative is an 'upload queue' at the package registry level, where new releases are held after publication but before distribution, allowing automated security scanning, public diffs, and maintainer notifications. This approach protects everyone uniformly without requiring per-project configuration. The author also extends the argument to LLM agent skill files (markdown as an executable format), and addresses funding concerns by suggesting commercial expedited review as a revenue model for package indexes.
Table of contents
Dependency cooldowns - the weakness of individual actionUpload queues - the many upsides of central actionRemoving the element of surpriseThis applies more than double for AIIs funding a problem? Not obviouslyIndividually rational, collectively bonkersContact/etcSort: