chore: add 5-day dependency cooling period for supply-chain hardening (#7718)

2026-06-01 22:50:26 -04:00 · 2026-05-31 10:55:15 -05:00
parent e1ddc06eff
commit 3bde6df958
7 changed files with 29 additions and 4 deletions
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,6 +20,10 @@ concurrency:
 jobs:
  build:
    runs-on: ubuntu-latest
+    env:
+      # Install from the committed lockfile; never re-resolve (see pyproject
+      # [tool.uv] exclude-newer cooling window).
+      UV_FROZEN: "1"
    steps:
      - uses: actions/checkout@v6

--- a/.github/workflows/locale-sync.yml
+++ b/.github/workflows/locale-sync.yml
@@ -14,6 +14,10 @@ permissions:
 jobs:
  sync-locales:
    runs-on: ubuntu-latest
+    env:
+      # Install from the committed lockfile; never re-resolve (see pyproject
+      # [tool.uv] exclude-newer cooling window).
+      UV_FROZEN: "1"
    steps:
      - name: Generate GitHub App Token
        id: app-token
--- a/.github/workflows/test-backend.yml
+++ b/.github/workflows/test-backend.yml
@@ -13,6 +13,10 @@ jobs:

    env:
      PRODUCTION: false
+      # Install from the committed lockfile; never re-resolve. The rolling
+      # `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise make
+      # every uv command re-resolve and fail on in-window pins.
+      UV_FROZEN: "1"

    strategy:
      fail-fast: true
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -7,6 +7,10 @@ env:
  DEFAULT_GROUP: Home
  DEFAULT_HOUSEHOLD: Family
  PRODUCTION: false
+  # Install from the committed lockfile; never re-resolve. Required because the
+  # rolling `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise
+  # make every `uv run`/`uv sync` re-resolve and fail on in-window pins.
+  UV_FROZEN: "1"
  API_PORT: 9000
  API_DOCS: True
  TOKEN_TIME: 256 # hours
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -52,6 +52,11 @@ RUN apt-get update \

 RUN pip install uv

+# Install from the committed lockfile; never re-resolve. The rolling
+# `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise make
+# `uv export` below re-resolve and fail on in-window pins.
+ENV UV_FROZEN=1
+
 WORKDIR /mealie

 # copy project files here to ensure they will be cached.
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -178,3 +178,7 @@ max-complexity = 24  # Default is 10.

 [tool.uv]
 add-bounds = "exact"
+# Cooling period: ignore package releases newer than 5 days to mitigate
+# supply-chain attacks (compromised releases are usually caught and yanked
+# within days). Evaluated at resolve time as a rolling window.
+exclude-newer = "5 days"
--- a/renovate.json
+++ b/renovate.json
@@ -12,6 +12,8 @@
  "extends": [
    "config:recommended"
  ],
+  "minimumReleaseAge": "5 days",
+  "internalChecksFilter": "strict",
  "addLabels": [
    "dependencies"
  ],
@@ -51,8 +53,7 @@
      ],
      "automerge": true,
      "automergeType": "pr",
-      "automergeStrategy": "squash",
-      "minimumReleaseAge": "5 days"
+      "automergeStrategy": "squash"
    },
    {
      "description": "Auto-merge Docker digest and patch updates",
@@ -66,8 +67,7 @@
      ],
      "automerge": true,
      "automergeType": "pr",
-      "automergeStrategy": "squash",
-      "minimumReleaseAge": "5 days"
+      "automergeStrategy": "squash"
    }
  ]
 }