> Caveat - if you need to patch a new critical CVE, you need to bypass the cooldown, by now, yo...

doctorpangloss • today at 4:26 PM • 1 reply • view on HN

> Caveat - if you need to patch a new critical CVE, you need to bypass the cooldown,

by now, you should have received the feedback about why cooldowns don't make sense and why nobody is adopting them. look, you are writing an expression of the reason why right there.

Replies

eranation • today at 4:48 PM

I don't agree that nobody is adopting them. Can you please elaborate?

- Most companies I know have a 24 hours (at least) cooldown via their Artifactory / Nexus. They have ways to bypass it for urgent CVEs

- pnpm just adopted 24 hours cooldown as default, based on community feedback.

➕ show 1 reply

alt Hacker News

Replies