Cross-Ecosystem Rollout Of Minimum Dependency Age Controls (2025-09 To 2026-02)

Issue 83 Edition 2026-03-24 5 min read

General

Sources: 1 • Confidence: High • Updated: 2026-03-25 17:55

Key takeaways

An Andrew Nesbitt article published March 4 reviews the current state of dependency cooldown mechanisms across packaging tools.
Dependency cooldowns reduce risk by delaying installation of newly updated dependencies for a few days to give the community time to detect subversion.
Relative duration support for pip’s --uploaded-prior-to has been requested but is not yet implemented.
A supply chain attack affecting LiteLLM prompted renewed focus on dependency cooldowns.
Between September 2025 and February 2026, multiple package managers added or highlighted minimum dependency age controls, including pnpm, Yarn, Bun, Deno, uv, pip, and npm.

An Andrew Nesbitt article published March 4 reviews the current state of dependency cooldown mechanisms across packaging tools.
Between September 2025 and February 2026, multiple package managers added or highlighted minimum dependency age controls, including pnpm, Yarn, Bun, Deno, uv, pip, and npm.
Dependency cooldown support is described as surprisingly well supported, with a recent flurry of activity across major packaging tools.

Dependency cooldowns reduce risk by delaying installation of newly updated dependencies for a few days to give the community time to detect subversion.
pnpm and Yarn support dependency age gating and provide exemption mechanisms for trusted or preapproved packages.

Relative duration support for pip’s --uploaded-prior-to has been requested but is not yet implemented.
A workaround for pip’s lack of relative dates is to use a scheduled cron job to keep an absolute date in pip.conf up to date.

A supply chain attack affecting LiteLLM prompted renewed focus on dependency cooldowns.

Relative duration support for pip’s --uploaded-prior-to has been requested but is not yet implemented.

What was the concrete blast radius of the LiteLLM supply chain attack (downstream packages/users affected, duration, indicators of compromise)?
How effective are dependency cooldowns in practice at catching malicious updates before wide adoption (false negatives/positives, typical detection time)?
What are the specific defaults and configuration ergonomics for minimum dependency age across the listed package managers?
How are exemptions governed in practice (criteria for “trusted/preapproved,” auditability, and how exemptions are distributed across teams)?
How do cooldowns interact with urgent security patching and reliability fixes that teams may need to ship quickly?

Broader adoption of minimum dependency age controls suggests rising baseline demand for software supply chain risk tooling and policy management, especially features covering cooldowns, exemptions, and auditability across multiple language ecosystems.
Pip lacking relative duration gating implies operational overhead and room for tooling and automation to manage absolute date workflows, indicating near term pain points for teams standardizing dependency cooldown policies.
Incident driven attention to dependency cooldowns implies security incidents can accelerate adoption of risk reducing dependency policies, potentially increasing spending on secure development tooling and governance processes.

Pip adds native relative duration support for uploaded prior to, or publishes a roadmap and timeline, reducing reliance on scheduled automation workarounds.
Major package managers document defaults and ergonomics for minimum dependency age and provide managed exemption workflows, with clear audit trails and team distribution controls.
Public postmortems quantify detection time and effectiveness of cooldowns, showing meaningful reduction in adoption of malicious updates before widespread impact.

Evidence emerges that cooldowns have low practical effectiveness, with frequent false positives, high bypass rates via exemptions, or minimal reduction in compromise impact.
Ecosystems de emphasize or roll back minimum dependency age controls due to developer friction, breaking changes, or urgent patching needs outweighing security benefits.
Pip and other tools do not close usability gaps, leaving fragile automation as the norm and limiting real world adoption of cooldown policies.