Nah - dependency cooldown is all the rage but it’s only effective if you have some noncompliant canary users. Once everyone is using it it will cease to be effective because nobody will be taking the first step/risk until everybody does.

▲

moebrowne 6 hours ago | parent [-]

The point of the cooldown is to allow time for vendor scans to complete and for compromised packages to be pulled. It's not about waiting for an end user to notice they've been compromised.

> Meanwhile, the aforementioned vendors are scanning public indices as well as customer repositories for signs of compromise, and provide alerts upstream (e.g. to PyPI).

https://blog.yossarian.net/2025/11/21/We-should-all-be-using...

▲

loloquwowndueo 4 hours ago | parent [-]

Depending on “security vendors” to do scans of every single update seems naive and over optimistic to me, but hey - everyone’s jumping on the bandwagon regardless of what I think so I guess we’ll see soon.

▲

limaho 4 hours ago | parent | next [-]

Don't "security venders" detect and report most of these types of attacks already today?

	▲	loloquwowndueo 3 hours ago \| parent [-]
		Do they? :)

▲

moebrowne 2 hours ago | parent | prev [-]

What's the alternative?