---
title: "💭 Package Managers Need to Cool Down"
description: "!https://simonwillison.net/2026/Mar/24/package-managers-need-to-cool-down/"
date: 2026-03-31
published: true
tags:
  - dev
  - thought
template: link
---


<div class="embed-card embed-card-external">
  <a href="https://simonwillison.net/2026/Mar/24/package-managers-need-to-cool-down/" class="embed-card-link" target="_blank" rel="noopener noreferrer">
    <div class="embed-card-content">
      <div class="embed-card-title">Package Managers Need to Cool Down</div>
      <div class="embed-card-description">Today&#39;s LiteLLM supply chain attack inspired me to revisit the idea of dependency cooldowns, the practice of only installing updated dependencies once they&#39;ve been out in the wild for a …</div>
      <div class="embed-card-meta">Simon Willison’s Weblog &middot; simonwillison.net</div>
    </div>
  </a>
</div>


2026, finding the balance between fixed bugs and zero days.  There is very unlikely ever a reason you **need** to be running bleeding edge packages in prod most package managers now support cool downs.

!!! note

    This post is a <a href="/thoughts/" class="wikilink" data-title="Thoughts" data-description="These are generally my thoughts on a web page or some sort of url, except a rare few don&#39;t have a link. These are dual published off of my..." data-date="2024-04-01">thought</a>. It's a short note that I make
    about someone else's content online <a href="/tags/thoughts/" class="hashtag-tag" data-tag="thoughts" data-count=2 data-reading-time=3 data-reading-time-text="3 minutes">#thoughts</a>