Safeguard
SBOM

Software Dependency Cooldown Policies

A dependency cooldown policy delays new package versions for a set window so the ecosystem can catch malicious releases before they reach your build pipeline.

Aman Khan
AppSec Engineer
7 min read

On March 29, 2024, Andres Freund, a Microsoft engineer debugging slow SSH logins, discovered that xz-utils versions 5.6.0 and 5.6.1 contained a backdoor planted by a maintainer who had spent over two years building trust in the project. The malicious versions had been public for 34 and 20 days, respectively, and were already flowing into Debian, Fedora, and Arch Linux testing branches before anyone noticed. If those distributions had simply waited a week or two before promoting a new xz-utils release into their pipelines, the backdoor would likely have been caught by the community first. This is the exact failure mode that a dependency cooldown policy is designed to prevent: a mandatory delay between when a package version is published and when it becomes eligible for use, giving the ecosystem time to detect problems before your build ever touches them. Sonatype, CVE feeds, and package registries have all moved toward this idea in the past two years. Here is what a cooldown policy actually does, why it matters, and how to run one well.

What Is a Dependency Cooldown Policy?

A dependency cooldown policy is a rule that blocks newly published package versions from entering your build or deployment pipeline until a defined waiting period has passed, typically somewhere between 24 hours and 14 days. During that window, the package sits in a "pending" state: it's visible in the registry, but your dependency manager, artifact proxy, or firewall refuses to resolve it. The logic is statistical rather than technical — most malicious or broken packages are identified and pulled within hours to a few days of publication, because that's when download volume spikes and security researchers, automated scanners, and angry users start noticing anomalies. The ua-parser-js compromise in October 2021, for example, was flagged and removed within about four hours because it dropped a cryptominer and password stealer that triggered antivirus alerts almost immediately. A short cooldown window would have blocked that version from ever reaching production systems that update on a schedule rather than instantly.

Why Did Cooldown Policies Suddenly Become a Mainstream Conversation?

Cooldown policies moved from a niche practice to a standard recommendation because malicious package volume crossed a threshold that made "trust on publish" untenable. Sonatype's 2023 State of the Software Supply Chain report found 245,032 malicious packages across open-source registries that year alone, more than the combined total of the previous four years. By the 2024 edition, that count had climbed past 512,000, with npm remaining the primary target. Layer on top of that a string of high-profile incidents — the node-ipc "protestware" that shipped self-destructing disk-wiping code to Russian and Belarusian IP addresses in March 2022, the colors.js and faker.js sabotage by their own maintainer in January 2022, and the September 2025 npm phishing campaign that compromised widely used packages including debug and chalk (combined weekly downloads in the billions) through a self-propagating worm dubbed Shai-Hulud — and the math on "download the latest version immediately" stopped making sense. Security teams needed a control that didn't depend on catching every threat themselves.

How Long Should a Cooldown Window Actually Be?

Most effective cooldown policies land between 3 and 7 days for general-purpose dependencies, with critical infrastructure packages sometimes held for 14 days or longer. This range comes from looking at detection timelines across real incidents: ua-parser-js was pulled in hours, event-stream's injected flatmap-stream backdoor in 2018 took roughly two months to discover, and the xz-utils backdoor took over a month. A 7-day window catches the fast-moving, loud incidents (cryptominers, obvious data exfiltration, protestware) that make up the bulk of malicious package volume, while a shorter 24-48 hour window is sometimes used for teams that want faster patch cycles for legitimate CVE fixes and are willing to accept more residual risk. The tradeoff is real: too short a window and you miss slow-burn attacks like xz-utils; too long a window and you delay adoption of genuine security patches, which creates its own exposure. Most mature programs use a tiered approach — a 24-hour cooldown for patch-level version bumps that fix known CVEs, and a longer 7-to-14-day window for minor and major version bumps from lower-reputation maintainers.

How Does Sonatype's Approach to Cooldowns Compare?

Sonatype implements cooldown-style protection primarily through its Repository Firewall product, which quarantines new component versions until they pass through Sonatype's own malicious-package detection pipeline before release into a proxy repository. This is a reactive-detection model: Sonatype's own research and scanning determine when a package is "safe," and your build waits on that judgment rather than on a policy you configure and control directly. That works well if you trust Sonatype's detection coverage completely and don't need visibility into why a specific version is held, but it ties your release cadence to a third party's black-box pipeline and is scoped mainly to their component intelligence data set. Teams building their own SBOM-driven governance often want the cooldown to be a first-class, auditable policy — configurable per package, per ecosystem, and per risk tier — with a visible SBOM entry showing exactly when a version was published, when it cleared cooldown, and what evidence (or lack of alerts) justified release. That's a materially different posture: policy-as-code you own, versus a vendor's opaque gate.

What Goes Wrong When Teams Get This Policy Wrong?

The two most common failure modes are cooldowns with no exceptions process and cooldowns that aren't enforced at the SBOM level. A blanket 7-day delay with no fast-track for critical CVE patches means a team discovers a fix for an actively exploited vulnerability — say, a fix shipped the same week as a CVE with a CVSS score of 9.8 — and is stuck waiting out the same window as a routine minor release, leaving production exposed longer than the cooldown itself was meant to prevent. On the other end, teams that set a cooldown policy in their CI configuration but don't enforce it against their generated SBOMs end up with drift: a developer runs npm install locally, pulls in a version three hours old, and it ships in a container image that never gets checked against the policy at all. Sonatype and most competing tools enforce cooldown at the proxy or firewall layer, which misses artifacts built outside that specific pipeline — vendored dependencies, monorepo tooling, or third-party CI runners. Without SBOM-level verification as the enforcement backstop, the cooldown policy is only as strong as the one chokepoint it's wired into.

How Safeguard Helps

Safeguard treats cooldown enforcement as a policy that travels with your SBOM, not a rule bolted onto a single proxy or firewall. When a new dependency version is introduced anywhere in your pipeline — a proxy pull, a local install that gets committed, a vendored update — Safeguard checks its publish timestamp against your configured cooldown window (with tiered rules, so a 24-hour window for CVE patches and a 7-to-14-day window for everything else can run side by side) and flags any version still inside that window before it lands in a build artifact. Every SBOM Safeguard generates includes the resolution evidence: publish date, cooldown status, and whether the version cleared review, so audits and incident response don't require reconstructing a timeline after the fact. Because enforcement happens at the SBOM layer rather than only at a registry proxy, Safeguard catches the drift cases that break firewall-only approaches — vendored code, monorepo tooling, and CI runners outside the primary pipeline are all checked against the same policy. And because the policy is configurable rather than dependent on a vendor's internal detection pipeline, security teams can tune cooldown windows per ecosystem, per risk tier, and per package reputation signal, with a documented exceptions path for urgent CVE fixes that need to move faster than the default window allows. The result is a cooldown policy your team actually controls, with the audit trail to prove it worked.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.