mhoyeAll of them have declined.
Nitin Khanna@mhoye dependency cooldown in this case would be “don’t install the latest version for 7 days”?
@nitinkhanna “do not install packages or their updates if they’ve been available less than 7 days”, yeah.
@mhoye the problem with that being if someone is trying to ship an important feature or bug fix or even vuln fix. Each scenario would need special consideration from the package registry.
@nitinkhanna we can imagine a world where there are or of band patch cycles in urgent cases, because we live in that world today.
@mhoye but that's not the standard - it's the exception. In the sense that, if there's a big enough urgent case, people reach out to people on the registry side and get priority. You're asking that to be the case for everyone who wants priority. Once you open that can of worms, everyone wants priority. Who wouldn't?
It's not ideal, but putting the impetus of not downloading the latest version on the users makes sense when the standard is and should be version pinning.
@mhoye here's the thing - I used to work at JFrog. One of their core security offerings for customers is "don't run anything less than 7/24/60 days old". I get that that makes sense. But to make that the default for everyone everywhere does not make sense to me.