I agree, but in most recent cases a 1 day cooldown would have been enough.

I added a “how to bypass if you have to patch a zero day CVE” section to depsguard for all supported package managers.

Yikes. You are correct. Honest truth, I got a few downvotes (after a few more upvotes), thought this was the cause, but you’re right. Didn’t think that it matters much, I’ll add it back. Had no idea anyone noticed. Fair enough, thanks for keeping me honest.

Edit: added it back, inline.

More akin to letting astronauts stay in quarantine for a day in case they caught space bugs.

If every other week I would notice the FDA recalls a popular brand that would have taken over my brain and transmit my bank password and SSN to a stranger, I might prefer drinking week old milk.

Edit: not dismissing your analogy, it’s pretty much it.

No it's not. That's a terrible analogy.

Interesting idea, but there are so many cases of solo maintainers.

I think that npm can have its own cooldown and automated security scan. Socket.dev, StepSecurity both close a gap here by spending tokens to scan new popular packages. Whether they do it for marketing or out of the goodness of their heart, is irrelevant. They don’t charge for this service, and it’s something I’d expect Microsoft (who owns GitHub who owns npm) to do.