Dependency cooldowns can significantly reduce the risk of open source supply chain attacks. The concept is straightforward: implement a waiting period between when a dependency is released and when it can be used. This allows time for security vendors to detect any issues before the code is integrated into projects. Tools like Dependabot and Renovate can facilitate this process, making it easy and cost-free for developers to adopt cooldowns. Recent supply chain attacks demonstrate the effectiveness of cooldowns. Many of these incidents had windows of opportunity lasting less than a week. For instance, attacks on Ultralytics and web3.js had response times of just hours. By instituting a cooldown of seven to fourteen days, developers could have prevented most of these attacks from reaching end users. While cooldowns aren't foolproof and some attackers may still evade detection, they could reduce exposure by 80-90%. The article argues that support for cooldowns should be integrated directly into packaging ecosystems, rather than relying solely on external tools. Current software development practices often blur the lines between first-party and third-party code, making it imperative to have built-in security measures. The author emphasizes that while cooldowns won't eliminate all risks, they represent a practical and effective strategy for enhancing supply chain security.