Implement dependency cooldowns in composer

[phront]

Is your feature request related to a problem? Please describe.
I have recently read blog post We should all be using dependency cooldowns, but not found the feature in composer. It would be nice to have dependency cooldown option in composer

Describe the solution you'd like
Dependency cooldowns are a free, easy, and incredibly effective way to mitigate the large majority of open source supply chain attacks. More individual projects should apply cooldowns (via tools like Dependabot and Renovate) to their dependencies, and packaging ecosystems should invest in first-class support for cooldowns directly in their package managers.

[freshleafmedia]

Related #12552

[Seldaek]

I have also read that post a few days ago and it is definitely more well written. It got me to think that maybe we can do something here, but we need to consider all options carefully.

Namely:

• if a package has a known vulnerability it should at least allow an update to latest version vs remaining stuck on an outdated version.
• we need a way to specify this delay in amount of hours/days IMO
• add minimum-release-age (following pnpm's naming) to config settings
• this filtering should not (and can technically not) apply to dev versions.
• should it be enabled by default with a low 6-12h value? It would make it have a greater impact in terms of security, but would also probably disturb a lot of existing workflows so it may not be worth it.

[8ctopus]

I agree with all your points, and would like to comment on this one:

should it be enabled by default with a low 6-12h value? It would make it have a greater impact in terms of security, but would also probably disturb a lot of existing workflows so it may not be worth it.

I would not do it in release 2.10 and based on the feedback, consider changing the default in a later version.

[TimWolla]

Some thoughts from my side regarding the possible concerns from that other issue, specifically:

what is a patch release fixes a regression that was introduced a few days before, you then risk updating to that broken version just because you are ignoring the latest.

What might make sense would be treating the “minimum-release-age” as the age of the oldest version that has been released more recently than the currently pinned version, but then always updating to the latest version (or a newer version with a shorter minimum-release-age). To give an example:

• My application is currently pinned to version 1.2.3 released 2025-11-01.
• Version 1.3.0 is released 2025-12-01.
• Version 1.3.1 fixing a bad regression is released 2025-12-03.
• I configure a minimum-release-age of 7.

On 2025-12-08 the “oldest newer version” (1.3.0) would be 7 days old. At this point there are newer versions that qualify for an update, but instead of updating to 1.3.0 and then 2 days later to 1.3.1, I would go straight to 1.3.1.

This would protect against packages that “suddenly” get an unexpected update after not receiving one for several months, but would still allow important updates to arrive smoothly. It would not protect against an attacker slipping in a bogus update shortly after a regular release, but the time window would be much shorter then: The update would need to be pushed shortly after the legit release to piggy-back on the legit release. And in that case, the library maintainers and the community are likely much more observant to unexpected updates (there was a proper announcement for 1.3.0, but not for 1.3.1, this looks odd).

[naderman]

If you look at any of the recent attacks on JS, it's not typically on packages that haven't had a release in a long time. It's often just another release on packages that have had recent releases. And while maybe the outcome in your above case makes sense, it does nothing to help the person that updated on 2025-12-02 to 1.3.0 and now doesn't get the update to 1.3.1 for another week, so I'm not sure that's really helping that much, just making things complicated to follow?

[crocodele]

Would be nice to also have some kind of "ignore list" or "bypass list", similar to the ignore options for the audit command, so that e.g. internal packages can be updated without cooldown.

{
  "cooldown": {
    // ...
    "bypass" : [
      {
        "package": "mynamespace/*",
        "reason": "These are our internal packages, we fully trust their code"
      }
    ]
  }
}

[crocodele]

I created a PR with an initial implementation. Feel free to comment on the PR.

[jsandeo]

I don't know if issues such as the recent ones with litellm (PyPI) and axios (npm) could occur in composer, but if they could, it would be very worthwhile to prioritize features like this. This won't be 100% foolproof, but it's still important to add layers of protection to mitigate risks.

[8ctopus]

@jsandeo If you look at the pull request, you will see that it has received positive feedback from the composer lead developer and it's progressing towards a merge. Hopefully it won't be long before we get it released.