Package Managers Need to Cool Down
4 hours ago
- #supply-chain-security
- #dependency-management
- #package-managers
- Dependency cooldowns help prevent supply chain attacks by delaying the installation of updated dependencies.
- Major package managers like pnpm, Yarn, Bun, Deno, uv, pip, and npm now support dependency cooldown mechanisms.
- Recent updates include features like minimum release age settings and exemptions for trusted packages.
- pip currently supports only absolute dates for cooldowns, with a workaround available for relative durations.