“If you wait a week before adopting new dependency versions, you are free-riding on the people who didn’t.”
True and uncomfortable. The people getting paged at 3am by a broken release are paying the cost of the ecosystem you depend on. Nothing wrong with cooldowns but pretending they are a security strategy is dishonest.