Dependency cooldowns are a highly effective way to mitigate supply-chain attacks, which have become a lot more frequent recently. And because it’s such a simple strategy to implement, I think that every project should adopt it.
Once a malicious release of a popular package is published, the attacker’s window of opportunity is usually less than a week before it’s detected. Therefore, as William Woodruff showed, adding a one- or two-week cooldown period before adopting any new release would have prevented most of the prominent supply-chain attacks in recent months.
Implementation in uv for Python is as simple as adding this one line to your pyproject.toml:
toml
exclude-newer = "1 week"
Dependabot, Renovate, and pnpm all have equivalent features.
One common pushback against this strategy is that it stops working if everyone adopts it, but I don’t think this is correct. Compromised releases get caught quickly, not because they are used in a real exploit first, but because there are researchers actively looking for them.
Dependency cooldowns, of course, don’t catch all supply-chain attacks, but for a one-line config change, they offer a lot of protection.
If you're using Claude Code or other coding agents, check whether they have access to your secrets. Many developers assume .env files are protected by default, but they are not.
In Claude Code, the interactive permission prompt is the only barrier, and it's easy to click through without thinking. To fix this, you can add a deny rule in your global Claude Code settings (see screenshot).
It takes 30 seconds to set up, and it's the kind of thing you only think about after something goes wrong.
