As discussed elsewhere in this forum, these exploits are being found by security companies in the first few days after they're published, that's just already too late. For example, the auditor who made the very post that we're discussing! For another, many security-focused AI companies have automated checks on NPM packages. Many people are implementing it on their end by having their client wait seven days before pulling new packages, but that's O(N) rather than O(1), and it's not evenly spread.

If no one reviews it and it still gets out, then we can address it then, but that seems much less likely.

Ideally, the solution is that all of these language package managers need to get serious and have maintainers, but lacking that, at least having the waiting period be built into the server instead of the client is a clear win.