Using dependency cooldowns is not a free-rider problem. There's a real tradeoff here – ppl are trading their time preference for security.

Just as users are incentivized to avoid malware, researchers and attackers are equally motivated to be the first to discover it.

The concern trolling around widespread dependency cooldowns doesn't make sense. Most people shouldn't be eager to download a release that hasn't made its way through at least some scans.