The article discusses the growing adoption of 'dependency cooldown' mechanisms across major package managers, which delay installing new package updates for a set period to allow the community to detect potential supply chain attacks. This trend was inspired by a recent LiteLLM supply chain attack and has seen implementation in tools like pnpm, Yarn, Bun, Deno, uv, pip, and npm throughout 2025-2026. The piece highlights how this security practice is becoming standardized as a defense against malicious updates.
Background
Supply chain attacks in software dependencies have become a critical security concern, where malicious actors compromise trusted packages to infect downstream projects. Package managers are responding by implementing features that introduce deliberate delays before adopting new versions.
- Source
- Simon Willison
- Published
- Mar 25, 2026 at 05:11 AM
- Score
- 7.0 / 10