> Should we instead of these cooldowns just run builds in isolated contexts?
replyI'd suggest both. Cooldown for 1-2 days is very cheap and you likely won't even notice it, so it's quite harmless and from what I've seen even just 24 hours is enough to let security companies pick up malware.
But yeah, isolation is a must-have.
At this point, is there an obligation of package managers, or at least npm to arrange the sandboxing themselves?
replyOr as us or companies to wrap the build tools to provide the wrapping for them.