Add update cooldown option to NuGet

[joelverhagen]

NuGet Product(s) Involved

Visual Studio Package Management UI and .NET CLI

The Elevator Pitch

Inspired by We should all be using dependency cooldowns.

I think this would apply to any place in NuGet that has an update flow, so namely PM UI package update and the update CLI command.

Right now, NuGet update flows look for the latest version available on the package sources. Some package managers such as uv (Python) and pnpm (JavaScript) have a cooldown feature which means "don't update to a package until it is older than X".

pnpm’s minimumReleaseAge. uv also has exclude-newer, although this specifies an absolute cutoff rather than a rolling cooldown.

We should consider this for NuGet as an opt-in or default change in update behavior. We could also consider implementing this in restore as a "strict mode" (don't download a package older than X) but this may be challenging to implement for protocol reasons.

From the blog post above, 7 days seems to be a sweet spot to prevent impact of many of the recent incidents.

Alternatively, or additionally, we could document how to configure various pipeline tools like Dependabot (docs) to work for NuGet.

Additional Context and Details

No response

[zivkan]

As mentioned in an internal chat, packages with known vulnerabilities need to bypass the cooldown, because using a package with a publicly disclosed vulnerability has higher risk than new packages. However, with NuGet.org implementing ODIC publishing, it means that a malicious actor who hijacks a package owner's github account can both publish a new package and mark older versions of the package as vulnerable. If publishing packages used a different account to publishing security advisories, there'd be a chance that only one of the two accounts were compromised.

So, we'd need an internal security review before implementing, and a design for this feature needs to take all of this into account.