Skip to content

Use uv cooldown#2115

Open
Dreamsorcerer wants to merge 2 commits into
mainfrom
sam/uv-cooldown
Open

Use uv cooldown#2115
Dreamsorcerer wants to merge 2 commits into
mainfrom
sam/uv-cooldown

Conversation

@Dreamsorcerer
Copy link
Copy Markdown
Collaborator

@Dreamsorcerer Dreamsorcerer commented May 16, 2026

Adds some developer protection from supply chain attacks.

@Dreamsorcerer Dreamsorcerer requested a review from leshy May 16, 2026 15:41
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 16, 2026
edited
Loading

Greptile Summary

This PR enables uv's exclude-newer cooldown feature, which prevents packages published within the last 7 days from being selected during dependency resolution, reducing exposure to typosquatting and other supply-chain injection attacks.

  • pyproject.toml gains exclude-newer = "7 days" (rolling window) and required-version = ">=0.9.17" to enforce the minimum uv version that supports relative-duration syntax for that setting.
  • uv.lock gains an [options] section recording the absolute cutoff timestamp and ISO-8601 span at lock-generation time, ensuring frozen installs remain reproducible.

Confidence Score: 5/5

The changes are purely additive configuration — no logic or runtime code is touched — and work as documented for uv >= 0.9.17.

Both added settings are well-understood uv features. The required-version guard ensures any developer on an older uv gets a clear error rather than a cryptic parse failure. The lock file update is the expected mechanical result of regenerating under the new setting. No application logic is affected.

No files require special attention.

Important Files Changed

Filename Overview
pyproject.toml Adds required-version = ">=0.9.17" and exclude-newer = "7 days" to [tool.uv] for supply-chain attack protection via a rolling cooldown window.
uv.lock Lock file updated to record the absolute cutoff timestamp (2026-05-09T15:39:50Z) and span (P7D) in the new [options] section, consistent with the exclude-newer setting in pyproject.toml.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Developer runs uv lock / uv sync] --> B{uv version >= 0.9.17?}
    B -- No --> C[Fail with clear required-version error]
    B -- Yes --> D[Compute cutoff = now - 7 days]
    D --> E[Resolve dependencies]
    E --> F{Package release date > cutoff?}
    F -- Yes, too new --> G[Exclude package version]
    F -- No, old enough --> H[Allow package version]
    G --> I[Pick next older version]
    I --> F
    H --> J[Write absolute timestamp to uv.lock]
    J --> K[Lock file reproducible for frozen installs]
Loading

Reviews (2): Last reviewed commit: "Update pyproject.toml" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 16, 2026
View reviewed changes
Comment thread pyproject.toml
@codecov
Copy link
Copy Markdown

codecov Bot commented May 16, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@Dreamsorcerer @greptile-apps
Update pyproject.toml
4729e88 
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paul-nechifor paul-nechifor paul-nechifor approved these changes

@leshy leshy Awaiting requested review from leshy

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Dreamsorcerer @paul-nechifor