Setting a minimum release age (a "cooldown") on dependencies is a cheap, high-leverage defense against supply-chain attacks. Most malicious package versions are detected and yanked within hours, so a 24-hour delay filters out the smash-and-grab incidents (axios 1.14.1, ua-parser-js, Solana web3.js, etc.).
All three major Node.js package managers now support this, but each one used a different name and a different unit. Here is what you need.
| Tool | Setting | Unit | Introduced in |
|---|