The packages that are actually compromised are yanked, but I assume you're talking about a scenario more like log4shell. In that case, you can just disable the config to install the update, then re-enable in 7 days. Given that compromised packages are uploaded all the time and zero-day vulnerabilities are comparatively less common, I'd say it's the right call.
reply`uv` has per-package overrides, I imagine there may be similar in other managers
replyI haven't checked, but it would be surprising that the min-release-age applies to npm audit and equivalent commands
replyAt least with pnpm, you can specify minimumReleaseAgeExclude, temporarily until the time passes. I imagine the other package managers have similar options.
replyNot really an issue though right because virtually none of these have lasted more than 1-2 days before being discovered?
replyOut of the frying pan and into the frier.....
replyExactly what I thought too when I read this...
replyUrgent fix, patch released, invisible to dev team cause they put in a 7 day wait. Now our app is vulnerable for up to 7 days longer than needed (assuming daily deploys. If less often, pad accordingly). Not a great excuse as to why the company shipped an "updated" version of the app with a standing CVE in it. "Sorry we were blinded to the critical fix because set an arbitrary local setting to ignore updates until they are 7 days old". I wouldn't fire people over that, but we'd definitely be doing some internal training.