But there is a second level of people reviewing packages on npm. They're the ones that report issues like the github issue this HN thread is linked to, and they very frequently get malicious npm packages taken down within a day of publishing. The big issue is just that not everyone is using a cooldown to avoid packages less than a day old and so people who install new packages at unlucky times don't get the benefit of that layer of review.
I don't understand why you're confident that those Github issues won't just end up coming later if literally everyone adds this cooldown
The security companies looking for and reporting the issues aren't going to use the cooldown too.
> they very frequently get malicious npm packages taken down within a day of publishing
If I'm reading the secondarily-linked blog post correctly, this was live for 12 days before discovery.