Package Managers Need to Cool Down
2 days ago
- #supply-chain-security
- #dependency-management
- #package-managers
- Dependency cooldowns are proposed to mitigate supply chain attacks by delaying the installation of new package versions.
- Different package managers use various names for cooldown features, such as 'minimumReleaseAge', 'exclude-newer', and 'stabilityDays'.
- JavaScript ecosystem adopted cooldown features rapidly across multiple package managers (pnpm, Yarn, Bun, npm, Deno).
- Python's 'uv' and 'pip' support cooldowns, with 'uv' allowing relative durations and per-package overrides.
- Ruby lacks native cooldown support, but 'gem.coop' provides a registry-level cooldown solution.
- Rust's Cargo has an RFC for cooldowns, with a unique approach requiring explicit version updates.
- Go, PHP, and .NET have open proposals or issues for cooldown support.
- Dependency update tools like Renovate, Dependabot, and Snyk enforce cooldowns with varying configurations.
- System package managers (e.g., apt, Homebrew) inherently have review processes that act as cooldowns.
- Cooldown implementations differ in handling absolute vs. relative timestamps and timezone considerations.