I think the idea is that dedicated security firms and/or automated scanners will discover exploits in the cooldown period.

The point is to allow the automated scanners a chance to run.

Every security company and their cousin wants to be the one to find the next big dependency malware.

Yea, all the new advice around using dependency cooldowns only works if _someone_ is installing these things before you and finding the vulnerabilities.

It seems like the advice right now is to become a freerider while there are still people installing closer to release that will do free work for you finding out there's something nasty in the release.

Once everyone is waiting 2 weeks to install an update, then the value of everyone waiting goes down dramatically.

not really, there are a number of security companies doing analysis of any new packages looking for supply chain attacks, so if you wait a couple of days, till their analysis is complete, you're reducing the risk of hitting a compromised package.

It basically devolves into a Volunteer’s Dilemma. There’s no incentive here to be the guinea pig, so nobody will want to be.