Hacker News new | ask | show | jobs
by loloquwowndueo 203 days ago
Nah - dependency cooldown is all the rage but it’s only effective if you have some noncompliant canary users. Once everyone is using it it will cease to be effective because nobody will be taking the first step/risk until everybody does.
1 comments
moebrowne 203 days ago
The point of the cooldown is to allow time for vendor scans to complete and for compromised packages to be pulled. It's not about waiting for an end user to notice they've been compromised.

> Meanwhile, the aforementioned vendors are scanning public indices as well as customer repositories for signs of compromise, and provide alerts upstream (e.g. to PyPI).

https://blog.yossarian.net/2025/11/21/We-should-all-be-using...

link
loloquwowndueo 203 days ago
Depending on “security vendors” to do scans of every single update seems naive and over optimistic to me, but hey - everyone’s jumping on the bandwagon regardless of what I think so I guess we’ll see soon.
link
limaho 203 days ago
Don't "security venders" detect and report most of these types of attacks already today?
link
loloquwowndueo 203 days ago
Do they? :)
link
moebrowne 203 days ago
What's the alternative?
link