MAIN MENU

Solutions

Packages

Remote desktop
management & IT operations

Boost productivity, decrease costs, and increase security with a centralized platform where you can manage a wide range of remote connections and tools.

Workforce password management

Improve your security strategy without reducing productivity by using a password management solution.

Privileged access
management

Diminish the risk of insider threats and cyberattacks while providing audit and compliance requirements for your team.

Remote access
management

Establish a secure entry point for internal or external segmented networks that require authorized just-in-time (JIT) access.

IT automation with PowerShell Universal

Streamline routine IT tasks and boost productivity with integrated scripting, orchestration, and reporting.

Devolutions
Remote Desktop Manager Free

Best all-in-one remote connection and credential management tool for independent IT users

Starter pack

The whole power of Devolutions half price for teams of 5

Proof of concept: 100+ users?

Quick overview

Compliance

Your trusted partner in security and compliance.

Integration center

Unified solutions: seamless integrations with Devolutions

Compare our solution packages Visit store & get a quote

Products

Devolutions
Remote Desktop Manager

The best remote connection manager in the industry

Devolutions Workspace

Improve your security strategy without reducing productivity by using a password management solution.

UniGetUI Open source

Discover, install, and update all your Windows packages

Devolutions PowerShell Universal

Automate remote management with dashboards and APIs

Privileged access

Devolutions PAM

Secure, rotate, and audit every privileged account across your infrastructure

Vaults

Devolutions Server Self-hosted

Self-hosted credential manager

Devolutions Cloud Cloud-hosted

Cloud-hosted password manager

Companion tools

Devolutions Gateway Secure remote access — no VPN required

Devolutions Launcher Remote connection launching tool

Devolutions Agent System service to control privileged operations

Online service

Devolutions Send Sharing secrets made quick, secure, and simple

Discover Remote Desktop Manager Free See more free tools for individual users

Resources

Academy

Your FREE go-to hub for mastering Devolutions' suite of products and services.

Forum

The Devolutions Forum is the place to go to connect with your peers and the Devolutions team.

Documentation

Get answers to product specifications, settings and more on our documentation.

Blog

Stay up to date with our weekly articles on our blog, the toolbox for your IT success.

On-demand Lab

Success stories

Reports & White papers

Devolutions Force

Learn a quick tip in 5 minutes! Browse feature requests

Company

About

Media

Careers

Spontaneous applications

Newsroom

Security & compliance

Report a security issue

Contact

Send message

Call me

Technical support Sales Contact information

Devolutions Blog

Announcements, updates, and insights from Devolutions.

Security

UniGetUI: Reduce supply chain risk with delayed updates

UniGetUI's new Minimum Age for Updates setting delays software updates by a configurable number of days, giving the community time to catch compromised packages before they reach your machines.

May 26, 2026

Sebastien Duquette

Supply chain attacks have moved from the occasional headline to something close to a weekly occurrence. “Update early, update often” has long been standard advice in software maintenance to ensure security vulnerabilities are patched quickly, but the flurry of recent supply chain attacks affecting popular libraries and security tools like Axios, TanStack, Trivy, and Bitwarden is calling this advice into question. The pattern is almost always the same: a malicious version of a trusted package ships, gets pulled into thousands of environments, and is caught and removed within hours or days. By then, the damage is done for whoever updated first.

That’s why many are now advocating for dependency cooldowns, where updates are delayed for a few days after release, because compromised packages are often discovered and removed within hours or days. Many package managers, such as pip, npm, and Cargo, now support cooldowns.

Bringing cooldowns to UniGetUI

We wanted to bring that same protection to the desktop side of the house, so we added a Minimum Age for Updates setting in UniGetUI to apply this approach to software updates. When an update is available, UniGetUI checks the package’s publication date and temporarily holds it back if the release is newer than the threshold you set. After the minimum age is reached, the update appears like any other.

What the setting can and can’t do

There are a few limitations worth knowing about before you turn it on. The release date is optional in WinGet packages, and package managers such as Scoop and vcpkg do not provide the release date in the package metadata. When the release date is not available, UniGetUI behaves as if the Minimum Age for Updates was disabled for those packages. UniGetUI also only checks the publication date of the top-level package; packages that are built at install time may pull dependencies that are more recent than the configured minimum age.

How to enable it

To enable this configuration, navigate to Package update preferences in Settings and set Minimum Age for Updates to the number of days that fits your risk tolerance. This setting can be fine-tuned per package manager in the Package Managers section.

Final thoughts

Patching quickly still matters, but it is no longer the only variable to optimize for. A short cooldown costs you very little in exposure to known CVEs and buys you a meaningful amount of protection against the kind of attacks that have dominated 2025 and 2026 so far. With Minimum Age for Updates, you get to decide where that line sits for your environment, package manager by package manager, instead of being forced into an all-or-nothing choice between “always latest” and “manual review of everything.” For most teams, even a two- or three-day delay is enough to let the community catch a poisoned release before it lands on your machines.