Use this as a baseline across all Macs to reduce exposure to fast-moving supply-chain attacks, where a malicious package version is published, installed by early updaters, then removed hours later.
The default policy I would use is:
- Personal/dev machines: 3 days.
- CI and production lock refresh jobs: 3 to 7 days.
- Emergency security fixes: bypass deliberately, one package at a time, with a reviewed lockfile diff.