The idea that 7 days is overkill is crazy to me. Unless you need a specific new feature, you should usually be fine with a dependency version that was released months ago when starting a new project. Ditto for doing regular dep upgrades.
The only issue I see is responding to vulnerabilities, where you want to upgrade immediately. But I think in that case it's fine to require the developer to be explicit in the new version they want.
I agree, but in most recent cases a 1 day cooldown would have been enough.
I added a “how to bypass if you have to patch a zero day CVE” section to depsguard for all supported package managers.