# Dependency Cooldowns > **TL;DR.** A dependency cooldown is an intentional delay between when a package version is published and when your project is allowed to install it. - **Category:** Developer Tools / Security / Supply Chain - **Stage:** established - **Age:** 194 days - **Origin date:** 2025-11-21 - **First detected:** 2026-04-15 - **Canonical URL:** https://earlyterms.com/term/dependency-cooldowns - **Sources:** 8 primary URLs ## Definition A dependency cooldown is an intentional delay between when a package version is published and when your project is allowed to install it. The idea: let the wider ecosystem absorb the first hours of risk so compromised releases can be detected and yanked before they reach your build. The practice crystallized after William Woodruff's [November 2025 post](https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns) showed that 8 of 10 recent supply-chain attacks had exploitation windows under a week. npm shipped `min-release-age` in v11.10.0; pnpm added `minimumReleaseAge`; Yarn added `npmMinimalAgeGate`; GitHub Dependabot rolled out native cooldown support in July 2025. ## Example After the September 2025 axios/chalk/debug npm compromises, Datadog Security Labs recommended a 12-hour minimum cooldown, arguing even that window would have blocked the Axios worm. Packages like [cooldowns.dev](https://cooldowns.dev/) now ship a single script that configures min-age across pip, uv, npm, pnpm, Yarn, Bun, Deno, and Cargo at once. ## Analogy Like letting food cool on the counter before eating — not to change what's inside, but to catch what shouldn't have been in there to begin with. ## Why it's emerging now William Woodruff's November 2025 advocacy piece hit 489 points on HN; by April 2026 npm (v11.10.0), pnpm, Yarn, and Dependabot all ship native cooldown settings. Cal Paterson's April 15 rebuttal hit 186 points on HN the same week, splitting the community into pro-cooldown and pro-upload-queue camps. ## Related terms - *parent:* supply chain security - *child:* min-release-age - *competitor:* upload queue - *related:* lockfiles - *child:* Dependabot cooldown - *child:* pnpm minimumReleaseAge - *related:* SBOM - *related:* npm audit - *related:* StepSecurity - *related:* webhook-secrets ## Sources 1. [ENOSUCHBLOG — We should all be using dependency cooldowns](https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns) 2. [Cal Paterson — Dependency cooldowns turn you into a free-rider](https://calpaterson.com/deps.html) 3. [Datadog Security Labs — The case for dependency cooldowns in a post-axios world](https://securitylabs.datadoghq.com/articles/dependency-cooldowns/) 4. [StepSecurity — Introducing the NPM Package Cooldown Check](https://www.stepsecurity.io/blog/introducing-the-npm-package-cooldown-check) 5. [cooldowns.dev — configuration recipes](https://cooldowns.dev/) 6. [Hacker News discussion (yossarian post, 489 points)](https://news.ycombinator.com/item?id=46005111) 7. [Hacker News discussion (Paterson rebuttal, 186 points)](https://news.ycombinator.com/item?id=47773812) 8. [pnpm Supply Chain Security documentation](https://pnpm.io/supply-chain-security) --- _Generated by EarlyTerms · https://earlyterms.com/term/dependency-cooldowns_