What do you base that on? Threat researchers (and their automated agents) will still keep analyzing new releases as soon as they’re published.

that's why people are telling others to use 7 days but using 8 days themselves :)

I suspect most packages will keep a mix of people at 7 days and those with no limit. That being said, adding jitter by default would be good to these features.

They’re usually picked up by scanners by then.

> If everyone avoids using packages released within the last 7 days

Which will never even come close to happening, unless npm decides to make it the default, which they won't.

Most people won’t.

7 days gives ample time for security scanning, too.

This highly depends on the detection mechanism.