Yes. But also infection with a malicious package. I don't want anybody to be hacked and also don't want everybody to be hacked at the same time. If I am managing multiple software components with different levels of reliability requirements I certainly would stagger updates and updates to dependencies using "dependency cooldowns". I don't fault anybody for using them. As it stands I am very conservative with dependencies/updates in general and not using "dependency cooldowns" yet.