I kept seeing every npm/pnpm/yarn/bun/uv supply chain post end with the same advice (set a minimum release age, turn off install scripts), and while I know cooldowns are "controversial", they do work. But even if you convince people that they should set coold…
_ _ __| | ___ _ __ ___ __ _ _ _ __ _ _ __ __| | / _` |/ _ \ '_ \/ __|/ _` | | | |/ _` | '__/ _` | | (_| | __/ |_) \__ \ (_| | |_| | (_| | | | (_| | \__,_|\___| .__/|___/\__, |\__,_|\__,_|_| \_…