Dependency cooldowns are theater. They will do nothing. Supply chain hacks get caught when someone gets pwned, and all this does is push the deadline out.

You find attacks via cross-organization auditing, like you do in Linux distros, and this doesn't do that.