Dependency cooldowns are a highly effective way to mitigate supply-chain attacks, which have become a lot more frequent recently. And because it’s such a simple strategy to implement, I think that every project should adopt it.
Once a malicious release of a popular package is published, the attacker’s window of opportunity is usually less than a week before it’s detected. Therefore, as William Woodruff showed, adding a one- or two-week cooldown period before adopting any new release would have prevented most of the prominent supply-chain attacks in recent months.
Implementation in uv for Python is as simple as adding this one line to your pyproject.toml:
toml
exclude-newer = "1 week"
Dependabot, Renovate, and pnpm all have equivalent features.
One common pushback against this strategy is that it stops working if everyone adopts it, but I don’t think this is correct. Compromised releases get caught quickly, not because they are used in a real exploit first, but because there are researchers actively looking for them.
Dependency cooldowns, of course, don’t catch all supply-chain attacks, but for a one-line config change, they offer a lot of protection.
Recent articles
- Hyphens and Dashes - 16th March 2026
- Context Windows Are Limited by Atoms, Not Bits - 1st March 2026
- My Own Little Corner of the Internet - 22nd February 2026