Unified Cross-Ecosystem Dependency Cooldown Config For Repos That Mix Node, Python, Cargo, Gem, and Bundler in One Project
After the Axios npm worm, the SAP 'Mini Shai-Hulud' campaign, and the litellm/telnyx PyPI compromise, individual package managers are racing to add release-cooldown features. The problem: pnpm calls it minimumReleaseAge, npm calls it npmMinimalAgeGate, uv uses --exclude-newer, pip 26.1 ships another name, Cargo and Bundler each have their own. Andrew Nesbitt counted at least ten different config names. Polyglot repos (ML + frontend, backend + agent runners) have to set the same '3-day delay' policy in five places, with no unified way to audit drift.
Don't try to be a security platform. Be a 30-line YAML at the repo root and a CLI that prints the diff between intent and reality across all five package managers. Make it boring and Unix-y. Distribute via Homebrew, Cargo, pipx, and npx all at once... eat your own dogfood.
landscape (4 existing solutions)
Every individual package manager is solving its corner of the problem. None aggregates. A cross-ecosystem CLI/config (`cooldown.yml` at repo root) that translates one human policy into npm + pip + cargo + gem + bundler-shaped configs — and nags on drift — would be a small-but-painful tool that polyglot teams adopt instantly.