The dependency cooldown approach mentioned upthread is underrated. Most teams I've seen adopt lockfiles and pinning but still auto-merge Dependabot PRs without any delay window. The irony is that the tooling meant to keep you secure (auto-updating) is exactly what widens the blast radius of a compromised package.

The 46-minute window here is telling. If your CI/CD pipeline happens to run during that window, you're exposed. A simple policy of "no package updates within 24h of release" would have completely avoided this, and it costs nothing to implement.

▲

halJordan an hour ago | parent [-]

But then what happens when everyone just shifts their window too. This solution is a misuse of the commons type thing where you just take advantage of letting others get poisoned and see if they drop

	▲	hxugufjfjf 2 minutes ago \| parent \| next [-]
		I think the idea is that security scanners ran by companies like Wiz and Aquasec etc will pick this up in that timeframe, not that you sit around and wait for others to get compromised.
	▲	adamandsteve 6 minutes ago \| parent \| prev [-]
		I kind of agree, but presumably this would happen more among people maintaining security-critical projects. In that case it'd be a net positive for other projects to get infected first, since if they aren't delaying package updates by 24 hours then security probably isn't quite as important. Which also makes it better in general because hackers will be less incentivized to write viruses if all the really juicy targets will only download them after they've gone undetected for e.g. 7 days.