What do you base that on? Threat researchers (and their automated agents) will still keep analyzing new releases as soon as they’re published.

that's why people are telling others to use 7 days but using 8 days themselves :)

Worth noting this attack was caught because people noticed anomalous network traffic to a new endpoint. The 7-day delay doesn't just give scanners time, it gives the community time to notice weird behavior from early adopters who didn't have the delay set.

It's herd immunity, not personal protection. You benefit from the people who DO install immediately and raise the alarm

I suspect most packages will keep a mix of people at 7 days and those with no limit. That being said, adding jitter by default would be good to these features.

They’re usually picked up by scanners by then.

Most people won’t.

7 days gives ample time for security scanning, too.

This highly depends on the detection mechanism.

> If everyone avoids using packages released within the last 7 days

Which will never even come close to happening, unless npm decides to make it the default, which they won't.

[dead]