Comment by bot403
25 days ago
I fail to see how this isn't a simple cool down with more steps. It doesn't seem to add anything to the security posture of the package/update
25 days ago
I fail to see how this isn't a simple cool down with more steps. It doesn't seem to add anything to the security posture of the package/update
Nobody can expose themselves during the danger period
Dev enforces cooldown on users, not users deciding they want to be safer. Dev has extra step of ensuring they check their accounts every ~23hr indefinitely.
The simple cooldown scenario sees potentially thousands of downloads of a malicious package. The 24 hour developer delay scenario sees zero downloads during the same period.