No no no, I should be using dependency cooldowns. You all should be finding the vulnerabilities and getting them fixed before they reach me.
I don’t get your point. In most examples cited in the article, the supply chain attacks were found either by security researchers or maintainers realizing they did not intentionally push compromised version, not by everyday developers. The goal of dependency cooldowns is to give researchers and maintainers more time to detect attacks before they reach end-users.
It’s a joke, not a real point, don’t worry.
If we all use them, won’t attackers switch to waiting an extra week before attempting to activate their attacks? This feels similar to antibiotics resistance in bacteria coming from over use of antibiotics.
Yes they could, but most importantly it gives more time for researchers and maintainers to detect attacks and fix them before they reach end-users.
