chore: add 5-day dependency cooling period for supply-chain hardening (#7718)

2026-06-06 17:10:16 -04:00 · 2026-05-31 10:55:15 -05:00
parent e1ddc06eff
commit 3bde6df958
7 changed files with 29 additions and 4 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -178,3 +178,7 @@ max-complexity = 24  # Default is 10.

 [tool.uv]
 add-bounds = "exact"
+# Cooling period: ignore package releases newer than 5 days to mitigate
+# supply-chain attacks (compromised releases are usually caught and yanked
+# within days). Evaluated at resolve time as a rolling window.
+exclude-newer = "5 days"