[$] Dependency-cooldown discussions warm up

Efforts to introduce malicious code into the open-source supplychain have been on the rise in recent years, and there is no indication that theywill abate anytime soon. These attacks are often found quickly, but not quicklyenough to prevent the compromised code from being automatically injected into otherprojects or code deployed by users where it can wreak havoc. One method of avoidingsupply-chain attacks is to add a delay of a few days before pulling upates in whatis known as a "dependency cooldown". That tactic is starting to find favor withusers and some language ecosystem package managers. While this practice isconsidered a reasonable response by many, others are complaining that thoseemploying dependency cooldowns are free-riding on the larger community by lettingothers take the risk.