A Cooldown Is Not a Sourcing Strategy
Jonny Rivera
May 11, 2026

Frequently Asked Questions
What is a dependency cooldown and how does it work?
A dependency cooldown is a time-based filter applied by package managers (npm, pnpm, Yarn) or update tools like Dependabot. It prevents your CI/CD pipeline from automatically installing a newly published package version until a set number of days has passed — typically 7 days. The bet is that the broader security community will detect and report any malicious version within that window before your build pulls it in.
Do dependency cooldowns stop supply chain attacks?
Cooldowns reduce exposure to fast-moving attacks. High-profile incidents like the Axios compromise were detected within hours, so a 12-hour cooldown would have protected most teams. However, cooldowns rely on the assumption that attackers won't simply delay malware execution until after the waiting period expires. As cooldowns become standard practice, patient attackers are expected to adapt their tactics accordingly.
What is the difference between "Scan and Pray" and "Curate and Govern" in software supply chain security?
"Scan and Pray" is a reactive model: you install dependencies and scan for problems after the fact, hoping to detect bad packages quickly. "Curate and Govern" is a proactive model: dependencies are vetted and admitted to a governed catalog before they ever enter your environment, so policy is enforced at the source rather than downstream in CI logs. Cooldowns are a refinement of the first model; they are not a substitute for the second.
How do AI coding agents affect software supply chain security?
AI coding agents (like Copilot or other LLM-based tools) increasingly generate dependency declarations — package.json files, requirements.txt, and direct install commands — as part of scaffolding new code. These suggestions often bypass whatever cooldown or sourcing policy a team has configured, because the agent is operating outside the governed pipeline. This makes it critical to ensure your dependency governance policy has reach over how your team is actually adding packages today, not just how your CI resolves them.
Why are transitive dependencies a security risk that cooldowns don't address?
Transitive dependencies are the packages that your direct dependencies themselves depend on. Your package manager resolves and installs these automatically, often several layers deep. While cooldowns apply to the version your installer resolves, they don't give you visibility or control over the entire dependency tree you didn't curate. A package three levels deep with a wide semantic version range can still introduce a vulnerability — and because your team didn't choose it directly, it's harder to trace and remediate.
What should teams do right now to improve dependency security?
Start by adopting cooldowns — set them to 7 days where possible, 12 hours as a minimum. Apply them in Dependabot for cross-ecosystem coverage. Pin your direct dependencies and audit broad semantic version ranges like ^ and ~. Then go further: audit who governs your full dependency tree, where policy is applied (source vs. CI), and whether your AI-assisted development workflows are operating within your sourcing guardrails.
What is package provenance and why does it matter?
Package provenance refers to the verified origin and build integrity of a software package — knowing where it came from, who built it, and that it hasn't been tampered with in transit. Provenance-based governance means a package's admissibility to your build is determined by whether its origin meets your policy, not by how old it is. This posture holds regardless of freshness: a 1-hour-old package from a verified, governed source is safer than a 1-year-old package from an unauthenticated maintainer account on a public registry.
How do I configure dependency cooldowns in npm, pnpm, Yarn, and Dependabot?
npm 11.10 and later supports cooldown configuration via .npmrc. pnpm and Yarn have also shipped cooldown support. In Dependabot, cooldowns can be set per ecosystem in your dependabot.yml file, giving you cross-language coverage from a single configuration. Check the official documentation for each tool for the exact configuration keys, as these features are actively evolving.
.png)
.png)
.png)