If everyone simultaneously imposes the same cooldown period for picking up a new dependency, that's as good as nothing at all. The malicious change just sits there for 20 days (or whatever) with nobody looking at it or running it. Then it hits everywhere at once.

However, a randomized cooldown may be a good idea. To borrow a pandemic term, it flattens the curve.