Skip to content

Add 7-day dependency cooldown via uv exclude-newer#88

Open
xmartinez wants to merge 1 commit into
mainfrom
xavi/dep-cooldown
Open

Add 7-day dependency cooldown via uv exclude-newer#88
xmartinez wants to merge 1 commit into
mainfrom
xavi/dep-cooldown

Conversation

@xmartinez

@xmartinez xmartinez commented May 26, 2026

Copy link
Copy Markdown

Declares tool.uv.exclude-newer = "P7D" in pyproject.toml so uv lock
only resolves package versions that are at least 7 days old.

This mitigates supply-chain risk from compromised fresh releases (e.g.
typosquats, hijacked maintainer accounts) by giving the ecosystem a
window to detect and yank malicious versions before they enter our
lockfile.

@xmartinez
Add 7-day dependency cooldown via uv exclude-newer
8b70292 
Declares `tool.uv.exclude-newer = "P7D"` in pyproject.toml so `uv lock`
only resolves package versions that are at least 7 days old.

This mitigates supply-chain risk from compromised fresh releases (e.g.
typosquats, hijacked maintainer accounts) by giving the ecosystem a
window to detect and yank malicious versions before they enter our
lockfile.
@xmartinez xmartinez requested a review from bisho May 26, 2026 08:09
@xmartinez xmartinez marked this pull request as ready for review May 26, 2026 08:09
@xmartinez xmartinez requested a review from a team June 1, 2026 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bisho bisho bisho approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xmartinez @bisho