Comment by compel2160

I don't think anyone is saying cooldowns are the only thing you need - just that it's a 30sec change that should harden your code.

Also, most malicious versions seem to be detected by tools scanning new packages. People updating without cooldowns probably aren't manualy inspecting diffs. Giving tools more time to detect things seems pretty obviously good to me. Add to that maintainers reporting they've been pwned, and the floor for sneaking malicious code is much higher.