As if supply chain attacks could have been prevented by 2fa or passkeys always.
You want delays by x days because supply chain attacks get caught very often within 1-2 days. And if you really really want to make an exception for a zero day then that's no problem and you can still quick patch by exclusion of that rule. They don't contradict in a unsolvable problem. You want both, you get both.
How do you know what's a zero day fix?
(You write something)
So then you have to check every package's updates and decide if you update, yes?
Yes, you need to check security issues reported for packages and then take a decision. What is the alternative?
[dead]