I think the cooldown approach would make this type of attack have practically no impact anymore, if nobody ever updates to a newly published package version until, say, 2-3 days have gone by, surely there will be enough time for owner of the package to notice he got pwnd.

▲

beart 3 days ago | parent | next [-]

Renovate Bot has this setting.

https://docs.renovatebot.com/configuration-options/#minimumr...

▲

deevus 3 days ago | parent | prev | next [-]

I've never heard of this. It sounds like a solid default to me. If you _really_ need an update you can override it, but it should remain the default and not allow opting out.

▲

deevus 3 days ago | parent [-]

https://github.com/pnpm/pnpm/issues/9921

▲

artursapek 3 days ago | parent [-]

the funny thing about this is if everyone has the same cooldown, aren’t we back in the same boat?

sure there are other ways for the package maintainer to notice they were pwned, but often they will not notice.

	▲	Raed667 3 days ago \| parent [-]
		The cool down isn't for end users. It is for package maintainers and scanners.

▲

empiko 3 days ago | parent | prev [-]

What about cases when the update fixes a security issue? Anybody using this approach would be a target for a few more days.

▲

friendzis 3 days ago | parent [-]

I know it sounds preposterous but there there are more ways to apply patches than npm pull

	▲	a_victorp 3 days ago \| parent [-]
		Update package versions manually, you say? The audacity!