The issue I have with dependency cooldowns is that if everyone uses it, it loses its effect unless we use that additional time to actually look at the thing we want to pull. You can’t delegate your due diligence indefinitely on other people, often unpaid.

What we need is:

- more eyeballs (squishy or virtual)

- more pressure on ecosystems such as NPM so they do a little more vetting themselves (the article mentions `npmPreapprovedPackages`, which is a good start)

- help upstream projects set up their CI pipelines so they use narrower scopes for their tokens and use established practices for publishing

- call out opaque blobs in upstream project soucres and help them fix it

- call out unnecessary drift in upstream tagged VCS vs. released source tarballs and help upstream projects get rid of those

- way better tools to safely inspect diffs of artifacts. If everyone spot checked just a little, it would go a long way.

- ha ha you also need to cool down simon willison

- how do ya write so many top tier articles so quickly?