惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
C
Cyber Attacks, Cyber Crime and Cyber Security
G
GRAHAM CLULEY
T
Tenable Blog
T
Threatpost
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
Darknet – Hacking Tools, Hacker News & Cyber Security
K
Kaspersky official blog
Security Latest
Security Latest
P
Privacy & Cybersecurity Law Blog
Google Online Security Blog
Google Online Security Blog
SecWiki News
SecWiki News
P
Palo Alto Networks Blog
TaoSecurity Blog
TaoSecurity Blog
Webroot Blog
Webroot Blog
Spread Privacy
Spread Privacy
O
OpenAI News
The Last Watchdog
The Last Watchdog
P
Proofpoint News Feed
C
Check Point Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
人人都是产品经理
人人都是产品经理
S
Security @ Cisco Blogs
Scott Helme
Scott Helme
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
月光博客
月光博客
S
Securelist
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
T
Troy Hunt's Blog
W
WeLiveSecurity
GbyAI
GbyAI
N
News | PayPal Newsroom
Y
Y Combinator Blog
C
Cisco Blogs
H
Help Net Security
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 【当耐特】
Jina AI
Jina AI
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
云风的 BLOG
云风的 BLOG
小众软件
小众软件
N
News and Events Feed by Topic

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Software Dependency Cooldowns Are a Symptom, Not a Strategy
Aaron Linskens · 2026-06-16 · via 2024 Sonatype Blog

Open source does not move too fast.

That may sound counterintuitive while dependency cooldowns are gaining traction across package managers, update tools, and security teams. The idea is simple enough: don't consume a package version the second it is published. Wait a few hours, a day, maybe longer, and give the ecosystem time to notice if something is malicious.

Some software security vendors recently argued for package cooldown policies as a way to keep newly published packages from entering environments unchecked, or added cooldown support around Dependabot workflows to control the pace and safety of dependency updates.

On the surface, this feels reasonable. Recent attacks against npm and other ecosystems have shown how quickly a compromised maintainer account, stolen publishing token, or hijacked package can distribute malicious code. A malicious release can move through automated dependency updates and CI pipelines before most humans even know something happened.

So yes, dependency cooldowns can help. They acknowledge something important: blindly trusting the newest version of a package is a bad default.

But a delay is not a strategy. The problem is not that dependencies move too fast. The problem is that most organizations lack the intelligence to know which releases they can trust.

Waiting Is Not Knowing

A dependency cooldown is ultimately a bet. If you wait 24 hours, you are betting that someone else will discover the malicious package in 24 hours. Sometimes that bet pays off.

Plenty of malicious packages are noisy. They steal tokens, call out to strange infrastructure, or trigger obvious alarms. A short delay may keep you out of that initial blast radius.

But some malicious packages are patient, targeted, or designed to look normal until they find the right environment. Those can sit undetected well beyond whatever waiting period an organization chooses.

That is the weakness of cooldowns: time becomes a proxy for trust. And time is a pretty weak proxy.

A package that is 24 hours old is not automatically safe. Neither is one that is 30 days old. Age may reduce one class of risk, but it does not establish integrity.

Slowing Everything Down Creates Its Own Problem

There is also a practical cost. Teams need bug fixes, security patches, compatibility updates, and new capabilities quickly. Dependency automation exists because manual processes could not keep up.

If the answer to supply chain risk is simply "make everything wait," security becomes another brake pedal developers learn to route around.

Software supply chain security should help developers move safely, not force them to choose between speed and trust. The real question is not, "How long should every dependency sit in timeout?" It is, "Which releases deserve trust, and which ones should be stopped?"

Release Integrity Beats Release Age

This is where Release Integrity matters. Our co-founder and CTO Brian Fox made a similar point when pnpm introduced minimumReleaseAge: delaying new releases can help, but there is no perfect waiting period, and delaying alone cannot solve the problem.

A blanket cooldown says: "This release is new, so nobody gets it yet."

Release Integrity asks: "What do we know about this release?"

New releases can introduce real risk into a build pipeline, including malware, critical vulnerabilities, or licensing issues. But treating every new release as equally suspicious is not intelligence. It is a timeout.

With Sonatype Firewall, Release Integrity analyzes new component releases for unusual behavior. Typical releases can be assigned a normal rating. Releases that raise concern can be flagged, reviewed, and temporarily quarantined. Components found to be malicious stay blocked.

Cooldowns assume the ecosystem will eventually notice something bad. Release Integrity inspects the release at the point of consumption and makes a decision based on signals.

One treats speed as the enemy. The other treats unknown risk as the enemy.

Dependency Cooldowns Can Be a Layer, Not the Answer

To be clear, I am not arguing that every software dependency cooldown is useless.

A short minimum release age can be a reasonable safety net, especially in ecosystems where new package versions can spread very quickly through automated installs and update tools. Other ecosystem-level defaults, like npm's move to make dependency install scripts opt-in by default, can also reduce obvious exposure.

But these controls should be treated as fallback layers, not the foundation of a supply chain security program.

They do not identify malicious behavior. They do not distinguish between a trusted maintainer publishing an urgent fix and an attacker publishing a compromised release. They do not help much when malicious code survives beyond the waiting window.

The safer approach is layered:

  • Use sensible defaults that avoid blindly pulling the newest version.

  • Add short release-age controls where they reduce obvious exposure.

  • Put a repository firewall in front of developers and build systems.

Use Release Integrity to quarantine suspicious releases, block malicious ones, and automatically release components once they are deemed safe. That gives teams the benefit people want from cooldowns without pretending that waiting creates trust.

Open Source Does Not Need to Move Slower

The answer to software supply chain attacks cannot be to make open source development artificially slow for everyone. The answer is to make trust more intelligent.

Software dependency cooldowns are popular because they are easy to understand, and they show the industry is waking up to the risk of consuming new releases blindly. That is progress.

But we should be clear about the limit: cooldowns can buy time. They cannot create trust. They can reduce exposure to attacks that are detected quickly, but they cannot tell you whether a release is safe.

For that, organizations need intelligence at the point of consumption: policy enforcement before components enter the software supply chain, the ability to block what is malicious, quarantine what is suspicious, automatically release what is safe, and keep developers moving when a release is trustworthy.

Dependency cooldowns are a symptom of the right concern. They are not the cure.

The future of software supply chain security will not be built on waiting longer. It will be built on knowing sooner.

Tags

thought leaders secure software supply chain dependencies Open Source development Release Management Sonatype Firewall