On supplychain attacks and dependency cooldowns

After the recent npm attacks there have been many recommendations to leverage dependency cooldown as an additional mitigating factor. Dependency cooldown works by instructing the package manager to ignore releases that are younger than a certain threshold.

The reasoning is that a vulnerable package will eventually be detected (and removed) in less time than the threshold, therefore preventing the attack.

This, combined with dependency pinning (including transitive dependencies!), is a very powerful tool, but introduces an issue for anyone using internal dependencies. For those the cooldown will have the undesired side-effect of blocking internal dependency updates which might contain urgent fixes. I haven't checked all package managers, but I did check some of the most popular languages.

Also, cooldown is not supported everywhere and sometimes is supported with noteworthy exceptions.

Nodejs

Use or switch to pnpm and use a combination of minimumReleaseAge and minimumReleaseAgeExclude, such as this one: 
minimumReleaseAge=30240
minimumReleaseAgeExclude[]=@my-internal-scope/*

Java, Python & probably everything else

Neither maven or pip provide a cooldown setting, so the only alternative is to use (transitive) dependency pinning. Version ranges must be disallowed too.

Generally speaking I find hard dependency pinning is a fundamental architecture choice anyways (for reproducible builds, for example).

Renovate cooldown can be achieved by applying different matchCurrentAge setting to each package group.

Dependabot provides a cooldown option but it's critical to note that the option only applies to non-security updates, so it might not be as effective as one images and even might lead to a false sense of security. And when that is in place, people might run dangerous commands they would avoid instead.

Yocto

Yocto does not provide a way to set dependency cooldown, but defaults to pinned versions and does not automatically bump versions. Update of versions is a manual process and because of this the need for dependency cooldown is effectively removed.

Popular posts

Opengrep quickstart

Since I could not find a quickstart to run opengrep with the full set of rules from their fork I thought I'd document what I found out. Setup Download the opengrep binary from github and make it executable with chmod +x . Clone the rules repo: git clone git@github.com:opengrep/opengrep-rules.git and clean it up to make it usable to opengrep: cd opengrep-rules rm -rf ".git",".github",".pre-commit-config.yaml", "elixir", "apex" find . -type f -not -iname "*.yaml" -delete rm -rf .github rm -rf .pre-commit-config.yaml Ensure opengrep can load the rules with: opengrep_manylinux_x86 validate . The same can be done for custom rules maintained in a separate repository. AFAIU Multiple repositories can be specified by repeating -f option as needed, see below. We are now ready to scan a repo, from the repo root directory run: opengrep_manylinux_x86 scan \   -f <path_to>/opengrep-rules \   --error \   --exclude-rule=VAL some ti...
Read more

Mirth: recover space when mirthdb grows out of control

I was recently asked to recover a mirth instance whose embedded database had grown to fill all available space so this is just a note-to-self kind of post. Btw: the recovery, depending on db size and disk speed, is going to take long. The problem A 1.8 Mirth Connect instance was started, then forgotten (well neglected, actually). The user also forgot to setup pruning so the messages filled the embedded Derby database until it grew to fill all the available space on the disk. The SO is linux. The solution First of all: free some disk space so that the database can be started in embedded mode from the cli. You can also copy the whole mirth install to another server if you cannot free space. Depending on db size you will need a corresponding amount of space: in my case a 5GB db required around 2GB to start, process logs and then store the temp files during shrinking. Then open a shell as the user that mirth runs as (you're not running it as root, are you?) and cd in...
Read more

On the Thoughtworks Technology Radar 33 - Nov 2025

Thoughtworks just published volume 33 of their Technology Radar . I found some interesting gems in it that I thought were worthwhile re-sharing: LiteLLM : I've been playing around with it to share AWS Bedrock models over a local, OpenAI-compatible API and I am impressed with the breadth of features (for example budgeting). The AI ecosystem is vibrant and flourishing. Continuous Compliance : so happy to see this mentioned! Personally I would expand the term to include other compliance tools like Vanta and I am convinced that this kind of automation and software will be essential for organizations to scale while meeting increasing regulatory demands. AGENTS.md : as someone who reads Simon's Willison blog, this is no surprise and a welcome confirmation (another file to watch out for:  CLAUDE.md ). Oxide : I wrote this post almost exclusively to mention Oxide 😅, a company I admire. Whenever people ask me about my cloud exit strategy, my answer is: Oxide. Here's why .
Read more