I don’t get your point. In most examples cited in the article, the supply chain attacks were found either by security researchers or maintainers realizing they did not intentionally push compromised version, not by everyday developers. The goal of dependency cooldowns is to give researchers and maintainers more time to detect attacks before they reach end-users.
No no no, I should be using dependency cooldowns. You all should be finding the vulnerabilities and getting them fixed before they reach me.
I don’t get your point. In most examples cited in the article, the supply chain attacks were found either by security researchers or maintainers realizing they did not intentionally push compromised version, not by everyday developers. The goal of dependency cooldowns is to give researchers and maintainers more time to detect attacks before they reach end-users.
It’s a joke, not a real point, don’t worry.