frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Dependabot version updates introduce default package cooldown

https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown/
45•woodruffw•1h ago

Comments

insanitybit•1h ago
What a state of things where we have to fear installing software, and rely on vendors to scan things ahead of time, because our supply chain is such a mess and our tooling is so incapable of (and uninterested in) protecting us.
sunaookami•1h ago
No way to prevent this says only package manager where this regularly happens.
Insimwytim•57m ago
You cannot call it a supply chain, if you have zero contractual relationships with the authors of the solutions you are using.

[1] https://news.ycombinator.com/item?id=44434355

cryo32•55m ago
Oh that one really makes you think doesn’t it.
stingraycharles•43m ago
I mean, that’s just arguing over whether or not the definition of “supply” implies “compensation”, which isn’t very interesting imho.

The grandparent’s point remains the same, the software ecosystem and its supply chain or however you want to call it is a hot mess.

xgulfie•35m ago
Traditionally the term "supply chain" has implied a buyer/seller relationship
madeofpalk•45m ago
What would a solution to this look like?

What would it take to not fear installing software? This isn't a npm problem, its a computing problem in general. Spaces like this are generally pretty against any sort of restrictions or limitations being put on computers under the name of safety (see Manifest v3)

jchw•41m ago
Manifest v3's actual motive was so shamelessly transparent that most of us just don't allow the "safety" argument for it to really be entertained. I don't have a suspension of disbelief rich enough to pretend I don't know.
dwoldrich•24m ago
For libraries, I like the Gnu Affero Public License[1]. If you run the library in software with that license, you have to publish all the source of the entire project that incorporates it.

No corporation could tolerate this, though, so the library vendor can negotiate a commercial license of their software for appropriate fees.

That said, corporations are not going to want to negotiate fees with 100's of vendors over constantly fluctuating dependencies in their software.

This is why the next big language/software ecosystem needs to integrate payments to vendors in their repository system. That way, commercial license management can occur between the ecosystem owners and the corporate customers and all the vendors get paid their fair share.

Similar to Amazon's Dynamo API, whatever the next big language/ecosystem is needs to be designed around _billing_ and automatic license management for # of deployments, seats, call volumes, etc.

[1] https://web.archive.org/web/20260712154038/https://www.gnu.o...

ashu1461•45m ago
This makes me think whether npm (and other registries) should apply security requirements based on ecosystem impact. Example a package having millions of downloads can have special security measures enforced.
madeofpalk•44m ago
What would be a security measure that should only be selectively enforced?
toomuchtodo•42m ago
Higher cost (“Mythos” vs static code analysis) vulnerability scanning prior to successful merge to main branch or deployment as an artifact. As risk increases (popular code->greater exposure potential), increase automated, programmatic scrutiny on subject code to lower residual risk.

(application security and vulnerability management is a component of my work in financial services)

bstsb•42m ago
> The default applies only to version updates. Security updates still open immediately, so critical fixes are never delayed.

does this require a real vulnerability report, or CVE? if the package is compromised would they just be able to push a false "critical update" that bypasses this wait?

cadamsdotcom•35m ago
"We don't call 'em 0days any more, now we call 'em 3days"
throwatdem12311•19m ago
More like 3-per-day amirite
zihotki•34m ago
If everyone starts applying cooldowns, won't it postpone the problem? So now there is a considerable amount of users who are affected and someone from the affected group discovers the infection and reports it.

But if everyone will be delaying updates, won't be there less chances to catch it in time? I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.

oakesm9•33m ago
I think the idea is that it gives a bit of time for the companies which run automated scans of new versions to run through and detect any issues with new versions before users install them en-mass.
roblabla•32m ago
The goal is to give time for automated scanners ran by cybersecurity companies to flag malware before it gets installed on real users.
MeetingsBrowser•25m ago
Only a few of the recent supply chain attacks were discovered by users noticing weird behavior.

The majority were noticed by maintainers or third party groups noticing things like releases not tied to a source tag, many rapid releases, etc.

Cooldowns won’t stop everything, but it makes a malicious release significantly more likely to be noticed

stusmall•21m ago
>If everyone starts applying cooldowns, won't it postpone the problem?

There are still research firms who are actively and aggressively scanning new packages once they are pushed. For example socket.dev pulls new packages across ecosystems and performs automated analysis and runs it in a sandbox. We don't have to have them go boom in someone's production repos to find out there is a problem.

Waterluvian•27m ago
I really hate dependabot making generic security people at work so pushy about updates updates updates. They seem to just be dogmatic about whatever dependabot says, forcing churn even when the documented issues are clearly not relevant. I’m not sure how to handle it politically. I’m convinced that updating so much more often is worse, not better.
bluejellybean•23m ago
I'm in a similar camp, I dislike how often third-party package updates get pushed out, especially given the lack of serious inspection.

The reality is that each update is its own potential security issue and with supply chain attacks being all too frequent, it's not a panacea.

cesarb•12m ago
> The reality is that each update is its own potential security issue

Even beyond security issues: each update is a new opportunity for breakage, not only from bugs in the third-party package, but also from unexpected dependencies on the third-party package's behavior.

bunderbunder•6m ago
I’ve mainly handled it by pushing my team to be extremely conservative about what dependencies we take, especially if they pull in scads and scads of transitive dependencies.

This elegantly mitigates three problems in one go: update churn, dependency hell, and supply chain attack surface.

It also, frankly, tends to make the code easier to understand. I’m not a huge NIH person but I do have to say that a lot of packages these days tend to encourage ways of doing things that are unnecessarily complex. More than once I’ve replaced a dependency with homegrown code and reduced LOC in the same commit.

noosphr•10m ago
Watching language package managers reinvent everything distribution package managers have been doing since the 90s has been as fun as watching crypto people reinvent financial regulation.
woodruffw•6m ago
The publishing topology is pretty fundamentally different: the entire power (and danger) of language package managers is that anybody can publish, not just a privileged few.

(This cuts both ways: I’d say that distribution package managers have learned valuable lessons about what users actually want from language package managers. Learning is a good thing.)

kibwen•5m ago
This comparison is tiresome. Distro package managers are curated, language package managers are not. They're serving completely different use cases; the former is the App Store, the latter is the web.
noosphr•2m ago
Give it two years.
ronbenton•20m ago
Easy, then you just delay your project’s dependency updates just a little more than everyone else
woodruffw•10m ago
> But if everyone will be delaying updates, won't be there less chances to catch it in time?

No: the security assumption behind cooldowns rests on security scanning parties, not on innocent users being victimized. Three days is a short cooldown, but it should be a good enough lead for scanning parties.

> I'm not fully sure if it's possible to preventively scan all NPM packages or how much compute it would require.

It’s not that much data, particularly for parties that are directly financially incentivized to be the first to report malware.

Bonsai 27B: A 27B-Class model that runs on a phone

https://prismml.com/news/bonsai-27b
340•xenova•5h ago•122 comments

Dependabot version updates introduce default package cooldown

https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-coo...
45•woodruffw•1h ago•31 comments

Financing the AI boom: from cash flows to debt [pdf]

https://www.bis.org/publ/bisbull120.pdf
33•1vuio0pswjnm7•1h ago•2 comments

The Tower Keeps Rising

https://lucumr.pocoo.org/2026/7/13/the-tower-keeps-rising/
296•cdrnsf•6h ago•150 comments

Cursor 0day: When Full Disclosure Becomes the Only Protection Left

https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left
187•Synthetic7346•5h ago•75 comments

How I use HTMX with Go

https://www.alexedwards.net/blog/how-i-use-htmx-with-go
66•gnabgib•3h ago•10 comments

Your 'app' could have been a webpage (so I fixed it for you)

https://danq.me/2026/07/09/your-app-could-have-been-a-webpage/
669•MrVandemar•3d ago•419 comments

The largest available Minecraft world, totalling 15 TB

https://2b2t.place/1million
132•_____k•3d ago•39 comments

How to stop Claude from saying load-bearing

https://jola.dev/posts/how-to-stop-claude-from-saying-load-bearing
399•shintoist•11h ago•456 comments

Guardian Angels: LLM Personalization for Productivity and Security

https://gwern.net/guardian-angel
46•andsoitis•10h ago•3 comments

The Estranged Worlds of J. G. Ballard

https://lareviewofbooks.org/article/jg-ballard-illuminated-man-christopher-priest-nina-allan/
21•Caiero•1d ago•4 comments

Microsoft deleted my account and OneDrive

https://twitter.com/JoshuaKhane/status/2076918699248803977
78•HelloUsername•1h ago•28 comments

Mathematical texts from a Maya site in Guatemala identify an ancient astronomer

https://www.nature.com/articles/d41586-026-02170-8
5•homarp•11h ago•0 comments

I'm a USB-C Maximalist

https://shkspr.mobi/blog/2026/07/im-a-usb-c-maximalist/
122•speckx•7h ago•218 comments

The zero-cost fallacy: open-source software in the agentic era

https://www.thoughtworks.com/insights/blog/open-source/zero-cost-fallacy-open-source-agentic-era
90•backlit4034•4d ago•70 comments

The Second Life of Sanskrit

https://openthemagazine.com/india/the-second-life-of-sanskrit
41•bookofjoe•3d ago•28 comments

Human Canaries: Remembering the Munitionettes

https://www.historytoday.com/archive/great-debates/human-canaries-remembering-munitionettes
9•Thevet•23h ago•0 comments

Kontigo (YC S24) Is Hiring (Head of Security)

https://www.ycombinator.com/companies/kontigo/jobs/uNttrlv-head-of-security
1•jecastillof•6h ago

QR-Swastika-Avoider

https://crates.io/crates/qr-swastika-avoider
3•gregsadetsky•24m ago•1 comments

Banter

https://homosabiens.substack.com/p/banter
11•surprisetalk•4d ago•1 comments

Are we offloading too much of our thinking to AI?

https://www.artfish.ai/p/offloading-thinking-to-ai
345•yenniejun111•7h ago•345 comments

Show HN: Opening lines of famous literary works

https://www.verbaprima.com/
136•plicerin•7h ago•78 comments

Launch HN: Agnost AI (YC S26) – Extract user feedback from agent conversations

https://agnost.ai
37•laalshaitaan•7h ago•23 comments

Accretive Editing

https://justindfuller.com/programming/accretive-editing
13•iamjfu•4d ago•4 comments

Measuring Input Latency on Linux: X11 vs. Wayland, VRR, and DXVK

https://marco-nett.de/blog/measuring-input-latency-on-linux-x11-vs-wayland-vrr-dxvk/
333•hoechst•6h ago•209 comments

LeMario: Training a JEPA World Model on Super Mario Bros

https://www.benjamin-bai.com/projects/lemario
3•kevinjosethomas•40m ago•0 comments

Show HN: Juggler – an open-source GUI coding agent, by the creator of JUCE

https://github.com/juggler-ai/juggler
155•julesrms•2d ago•77 comments

StubHub, CEO hit with ‘deceptive practices’ class action over mass scalping

https://www.cbc.ca/news/world/stubhub-ceo-class-action-scalping-9.7268987
81•b112•3h ago•42 comments

Demis Hassabis has a plan to harness AI safely

https://twitter.com/demishassabis/status/2076957440109625718
130•asiergoni•13h ago•171 comments

Punch yourself in the face with reality

https://adi.bio/reality
200•AdityaAnand1•11h ago•96 comments