Dependency cooldowns turn you into a free-rider

This article critiques the growing trend of dependency cooldowns in software development, which delay adoption of new package versions to avoid supply chain attacks. It argues that while cooldowns offer modest individual protection, they rely on others as unpaid beta testers, creating a free-rider problem. The piece highlights implementation challenges across multiple package managers, easy circumvention, and the inefficiency of repeated configuration. It proposes upload queues as a more effective central solution, separating publishing from distribution to improve security without shifting burden to the community.