A comprehensive survey of dependency cooldown support across package managers and update tools. The concept — delaying installation of newly published package versions by a minimum period (e.g., 7 days) — aims to give security researchers time to flag malicious publishes before automated tooling pulls them into projects. JavaScript ecosystems moved fastest, with pnpm, Yarn, Bun, npm, and Deno all shipping cooldown features between September 2025 and February 2026. Python's uv and pip have partial support, Rust's Cargo has registry-side infrastructure stabilized with an RFC in progress, while Go, Ruby's Bundler, Composer, and NuGet are still in discussion or relying on Dependabot/Renovate. Update bots like Renovate and Dependabot have had cooldown support for longer. The post also covers tooling for auditing configs (zizmor, StepSecurity, OpenRewrite) and digs into implementation nuances like absolute vs. relative timestamps, timezone edge cases, and the fragmented naming of the feature across tools.
Table of contents
JavaScript #Python #Ruby #Rust, Go, PHP, .NET #Dependency update tools #Checking your config #Still waiting #Language vs. system package managers #The timestamp problem #Sort: