LLMs are reducing n-day exploit time rapidly.

https://red.anthropic.com/2026/n-days/

So that is a poor bandaid to use now. Maybe instead validate things before, and have more of a cathedral and human reputation system.

I don't think it'd necessarily be a good decision, sometimes CVE are actively exploited and need quick patching.

A better safety net would be to require active 2FA proof for every package update.

The maintainer of pnpm mentioned this on the pod rocket podcast recently. Based on recent npm exploits they decided to (and based on a poll they did most users agreed) set to 1 day by default in v11. Can always choose to change it if you desire.