chore: add 5-day dependency cooling period for supply-chain hardening (#7718)

2026-06-01 22:50:26 -04:00 · 2026-05-31 10:55:15 -05:00
parent e1ddc06eff
commit 3bde6df958
7 changed files with 29 additions and 4 deletions
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -7,6 +7,10 @@ env:
  DEFAULT_GROUP: Home
  DEFAULT_HOUSEHOLD: Family
  PRODUCTION: false
+  # Install from the committed lockfile; never re-resolve. Required because the
+  # rolling `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise
+  # make every `uv run`/`uv sync` re-resolve and fail on in-window pins.
+  UV_FROZEN: "1"
  API_PORT: 9000
  API_DOCS: True
  TOKEN_TIME: 256 # hours