> If everyone starts waiting a week, their exploits will wait 2 weeks

It's much easier to break into an NPM/Github account and push malicious commits in the few hours a maintainer is sleeping than it is to push something out and not have it noticed for 2 weeks.

There are lists of attacks which had an exposure window which was much shorter than 2 weeks:

https://daniakash.com/posts/simplest-supply-chain-defense/ https://blog.yossarian.net/2025/11/21/We-should-all-be-using...