restricting packages to versions that have been available for 30 days or other reasonable bake time (unless there are critical security fixes) gives quite a bit of protection from watering hole attacks by letting others be the guinea pigs.
It would be lovely if package update tools supported this directly.
You know what’s really frustrating? When your package manager DOES support this feature, but the proxy service your org has put in front of the public package repository for “security” does not proxy package metadata, such as package upload dates, breaking this feature for everyone. Looking at you, Sonatype Nexus!
