Package Managers Need to Cool Down
<p><strong><a href="https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html">Package Managers Need to Cool Down</a></strong></p> Today's <a href="https://simonwillison.net/2026/Mar/24/malicious-litellm/">LiteLLM supply chain attack</a> inspired me to revisit the idea of <a href="https://simonwillison.net/2025/Nov/21/dependency-cooldowns/">dependency cooldowns</a>, the practice of only installing updated dependencies once they've been out in the wild for a few days to give the community a chance to spot if they've been subverted in some way.</p> <p>This recent piece (March 4th) piece by Andrew Nesbitt reviews the current state of dependency cooldown mechanisms across different packaging tools. It's surprisingly well supported! There's been a flurry of activity across major pac
24th March 2026 - Link Blog
Package Managers Need to Cool Down. Today's LiteLLM supply chain attack inspired me to revisit the idea of dependency cooldowns, the practice of only installing updated dependencies once they've been out in the wild for a few days to give the community a chance to spot if they've been subverted in some way.
This recent piece (March 4th) piece by Andrew Nesbitt reviews the current state of dependency cooldown mechanisms across different packaging tools. It's surprisingly well supported! There's been a flurry of activity across major packaging tools, including:
-
pnpm 10.16 (September 2025) — minimumReleaseAge with minimumReleaseAgeExclude for trusted packages
-
Yarn 4.10.0 (September 2025) — npmMinimalAgeGate (in minutes) with npmPreapprovedPackages for exemptions
-
Bun 1.3 (October 2025) — minimumReleaseAge via bunfig.toml
-
Deno 2.6 (December 2025) — --minimum-dependency-age for deno update and deno outdated
-
uv 0.9.17 (December 2025) — added relative duration support to existing --exclude-newer, plus per-package overrides via exclude-newer-package
-
pip 26.0 (January 2026) — --uploaded-prior-to (absolute timestamps only; relative duration support requested)
-
npm 11.10.0 (February 2026) — min-release-age
pip currently only supports absolute rather than relative dates but Seth Larson has a workaround for that using a scheduled cron to update the absolute date in the pip.conf config file.
Simon Willison Blog
https://simonwillison.net/2026/Mar/24/package-managers-need-to-cool-down/#atom-everythingSign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
releaseupdatereview
Musk, xAI tout newest Grok update as only 'non-woke' platform: 'Doesn't equivocate'' - Fox News
<a href="https://news.google.com/rss/articles/CBMiwAFBVV95cUxOSzk3MWlmRmNfbTJnYjJoZlktU0dURG1sUmVfVDJwdTZFRHI1ZFgwX2NWREFHVl9RVDRRS3VlME5nRkJKSmhLaU95ZkI3MEZIT3BrUVZtWFJfN0lualc1ODFNSm5hZGduYldRMmFzVXp2MHZISEswNm9fczNNTGtucTBUd3ZScFMtQVRrTlBIQWlQSVg3c3hYM24za1RIeGg3amFLOVByTDI2Z1lLVllnNlJad1l1VlZhaUttdkpPSFDSAcYBQVVfeXFMT2dncUx3VjhWeTdYWWR2bDcybmhHWmtMQWNKTXdndVAweGZqY2o5QXNBWnVGbnJfRTM5UHVkaG5ibVBreWVaZzlzN3lWb2d6cElhLUNUMkpPa2lZZkV0LUpjZVhlTWwyeFBBdGZLa3E1ODR1SjloSzljYldkLXR2bG5BeWhoVGZ6SFI4UmdtaENzSzkxWlRXUkdwUkJiajYxVGFaQlBraFlyb0czcXZXbXVYQjM5SEZYalA3Y1N4S2t1X3dsYlln?oc=5" target="_blank">Musk, xAI tout newest Grok update as only 'non-woke' platform: 'Doesn't equivocate''</a> <font color="#6f6f6f">Fox News</font>
CrowdStrike, Cisco and Palo Alto Networks all shipped agentic SOC tools at RSAC 2026 — and all three missed the same gap
CrowdStrike CEO George Kurtz highlighted in his RSA Conference 2026 keynote that the fastest recorded adversary breakout time has dropped to 27 seconds. The average is now 29 minutes, down from 48 minutes in 2024. That is how much time defenders have before a threat spreads. Now CrowdStrike sensors detect more than 1,800 distinct AI applications running on enterprise endpoints, representing nearly 160 million unique application instances. Every one generates detection events, identity events, and data access logs flowing into SIEM systems architected for human-speed workflows. Cisco found that 85% of surveyed enterprise customers have AI agent pilots underway . Only 5% moved agents into production, according to Cisco President and Chief Product Officer Jeetu Patel in his RSAC blog post . T
![[D] TurboQuant author replies on OpenReview](https://images.unsplash.com/photo-1504711434969-e33886168f5c?w=600&q=80)
[D] TurboQuant author replies on OpenReview
<!-- SC_OFF --><div class="md"><p>I wanted to follow up to <a href="https://www.reddit.com/r/MachineLearning/comments/1s7m7rn/comment/odaect4/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button">yesterday's thread</a> and see if anyone wanted to weigh in on it. This work is far outside of my niche, but it strikes me as an attempt to reframe the issue instead of addressing concerns head on. </p> <p>OpenReview link for reference: <a href="https://openreview.net/forum?id=tO3ASKZlok">https://openreview.net/forum?id=tO3ASKZlok</a></p> <blockquote> <p>In response to recent commentary regarding our paper, "TurboQuant," we provide the following technical clarifications to correct the record.</p> <p>TurboQuant did not derive its core method from
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Releases
Nvidia Invests $2 Billion in Marvell, Announces Partnership - Bloomberg.com
<a href="https://news.google.com/rss/articles/CBMirAFBVV95cUxNQ0lZZzEtUFRaeHI1MjFYd1RPd21NWFNVVGlMVWJKZ0RWME85bnA5RnotWkdJVnVnYXIyNElucFJTWWs1WmtyODFNZ1pNQ1A5NlBobEVKNno5VmQ1RTViRThKbjhqQl9FeV9zUjNWX01xREdGN3hhbFVUM3B2VHBNdHZaSEkwNDlmX0Vaa2J6Xzk1NEc4aXVPbUZFQ0FLbDN1Z1pFelhnRWxlRzBR?oc=5" target="_blank">Nvidia Invests $2 Billion in Marvell, Announces Partnership</a> <font color="#6f6f6f">Bloomberg.com</font>
Zapier launches AI Guardrails for safer automated workflows - itbrief.com.au
<a href="https://news.google.com/rss/articles/CBMikgFBVV95cUxObUtuWGNQTkxKeWdBVUVLbFVKdDd3c1pvbHdia29RQ0NrUlBEdkt4Ni0yX2ZiamREX2g4WThOMTZ6NkZOQ0p2aDY2NERIY09vWkVWUjZBRXQ5d1MtYV8yaVV1V2NLVjFmdG5EWGF3OUMtMlA4a1B4N3d6UzZzZmc3M0lVei1qVHE0LWN4QWhqRDZ0UQ?oc=5" target="_blank">Zapier launches AI Guardrails for safer automated workflows</a> <font color="#6f6f6f">itbrief.com.au</font>
IBM Opens Global RFP for AI-Driven Solutions Shaping the Future of Work and Education - IBM Newsroom
<a href="https://news.google.com/rss/articles/CBMivgFBVV95cUxNZjNTRnNMQ0V6RTBhVlQzREdSRTQyTTkxdDU3LVFCeHFHREZsR2E4cGJaMnhZdnJ6cDRRel9IanpMaVlzeFBGVjQzOG9NdXlWeUpCR0RvdXJjbnM4WkFwUlExRHB2X2xfMHlZTFIzeHpMLTE2ajhvWXZUN3hhYVJiVG9hZ1NtMjMyNVVyYzdjTW12YmNrXzA1OURRWTcwSEZvc3llbHNQUzFIOTRMMnNlYW5UdEN2TEVIRFliYUxn?oc=5" target="_blank">IBM Opens Global RFP for AI-Driven Solutions Shaping the Future of Work and Education</a> <font color="#6f6f6f">IBM Newsroom</font>
How genomics and multi-modal AI are reshaping precision medicine - Frontiers
<a href="https://news.google.com/rss/articles/CBMijgFBVV95cUxQZlhyZ3IwN1dRU3JaUG5NckZZWVl2Und4Zk1ETlVLSWExbHlCTnlGTWpuOTNLUzZMZ0NyNFpzOVVQbVZBYTUyMURnZDZpSFR2a0tacDRDWWdPTmdhT1kzcnA4RUpZR0JnUnJLQnNBdzRqckFPMnduRVptT3hjVl9VTmFEWWVVN2UwV2FBZGJB?oc=5" target="_blank">How genomics and multi-modal AI are reshaping precision medicine</a> <font color="#6f6f6f">Frontiers</font>
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!