I don’t get your point. In most examples cited in the article, the supply chain attacks were found either by security researchers or maintainers realizing they did not intentionally push compromised version, not by everyday developers. The goal of dependency cooldowns is to give researchers and maintainers more time to detect attacks before they reach end-users.
I don’t get your point. In most examples cited in the article, the supply chain attacks were found either by security researchers or maintainers realizing they did not intentionally push compromised version, not by everyday developers. The goal of dependency cooldowns is to give researchers and maintainers more time to detect attacks before they reach end-users.
It’s a joke, not a real point, don’t worry.