Dependency cooldowns are unfair; we should use phased rollouts instead
The article, published on illegalcode.net, critiques the common practice of dependency cooldowns—where package updates are delayed for a fixed period after release—as unfair to early adopters and inefficient. Instead, it proposes phased rollouts, where updates are gradually deployed to increasing percentages of users over time. This approach allows for early detection of issues without penalizing early adopters. The author outlines a specific implementation using a deterministic hash of the package version and user identifier to assign rollout groups, enabling controlled exposure. The post also discusses how this can be integrated into existing package managers like npm or pip, with minimal changes to infrastructure. The author argues that phased rollouts lead to more equitable risk distribution and faster feedback loops.
Phased rollouts could replace cooldowns, making package updates fairer and safer for all users.