Dependency cooldowns—waiting a set number of days before adopting a new package version—have surged as a supply‑chain defense. The trick is to let early adopters act as unpaid beta testers, hoping that anyone who gets hacked will expose the flaw before the cooldown period ends.

However, the practice burdens all other developers. Python alone hosts around eight package managers, each needing to implement a cooldown. Even a simple "pip install" outside a project can bypass the delay, exposing developers to risk and making the approach fragile.

A better alternative, the author argues, is an upload queue at the central repository. Packages would sit for a few days after publication, allowing automated linters, security scanners, and maintainers to review changes before public distribution. The Debian project already uses this model, separating publication from distribution to curb surprise releases.

Adopting a queue eliminates free‑rider issues, reduces credential power, and gives users advance notice of new releases—protecting both developers and end users from stealthy supply‑chain attacks.