Python’s default package management system pip now has an official mechanism for supporting dependency cooldowns, which we previously discussed on this blog as a supported feature of uv. This comes through the the uploaded-prior-to argument now supporting relative duration in PnD format, where n is the number of days. For example, to ignore packages released in the past 3 days:
pip install --uploaded-prior-to=P3D pip
This is an important security feature to avoid being compromised by short-lived malicious package uploads like the recent litellm hack.
It still doesn’t seem to be as fully featured as the uv version, which allows you to set per-project or global defaults for dependency cooldowns. Still, it’s a great step toward better security. For more information on dependancy cooldowns see William Woodruff’s post on the subject.
Hat tip to Simon Willison.