Opt out of very new Python package versions with uv

In light of several recent Python package compromises (litellm, telnyx), here is a useful tip from Hacker News commenter mil22:

For those using uv, you can at least partially protect yourself against such attacks by adding this to your pyproject.toml:

[tool.uv]

exclude-newer = "7 days"

or this to your ~/.config/uv/uv.toml:

exclude-newer = "7 days"

This will prevent uv picking up any package version released within the last 7 days, hopefully allowing enough time for the community to detect any malware and yank the package version before you install it.

Commenter notatallshaw follows up with how to achieve similar behaviour in *pip*:

Pip maintainer here, to do this in pip (26.0+) now you have to manually calculate the date, e.g. –uploaded-prior-to="$(date -u -d ‘3 days ago’ ‘+%Y-%m-%dT%H:%M:%SZ’)"

In pip 26.1 (release scheduled for April 2026), it will support the day ISO-8601 duration format, which uv also supports, so you will be able to do –uploaded-prior-to=P3D, or via env vars or config files, as all pip options can be set in either.