A guide to dependency cooldowns

We’ve already discussed the trend of features being added to Python package managers to guard against the flurry of short-lived supply chain attacks like the infamous LiteLLM compromise. Now, a new website by software engineer Martin Prpič documents the implementation of so-called dependency cooldowns across a variety of software ecosystems, in particular Python, Javascript, and Rust. It also documents an open proposal in Go.

This guide should make it easier for developers to implement safer defaults in their personal and professional development environments.