Raw Record Source

{
  "path": "/writing/dependency-standback",
  "site": "at://did:plc:m25hu5wadnbqnt47zep7xza6/site.standard.publication/self",
  "$type": "site.standard.document",
  "title": "Dependency Standback",
  "description": "Patience as a security practice.",
  "publishedAt": "2026-04-01T00:00:00.000Z",
  "textContent": "The recent [LiteLLM PyPI embargo](https://web.archive.org/web/20260402081221/https://futuresearch.ai/blog/litellm-attack-transcript/) shook the software development community and served as yet another reminder that dependency hygiene isn't optional.\n\nBut not everyone has the ressources to audit every dependency thoroughly. Sometimes the best you can do is **just wait**. That's what **dependency standback** is all about. Before installing or upgrading software, you give it some time to \"breathe\" in the ecosystem. It doesn't do anything magical: it simply gives the community time to find problems before they become your problems.\n\nSo how long should you wait? A grace period of **7-14 days** is a solid default. But it depends on the speed of the ecosystem. An npm package allows for a shorter window than a [Julia dependency](https://julialang.org/), because the sheer volume of npm traffic means problems surface faster.\n\n## How It Works In Practice\n\nMost modern package managers expose standback natively, with varying degrees of control. The JS ecosystem is the most mature here: npm covers the basics with `--min-release-age`, pnpm goes further with per-package exclusions via `minimumReleaseAgeExclude` — useful for whitelisting internal or trusted packages — and bun offers the finest granularity of the three, configuring the age gate down to the second.\n\nOn the Python side, uv supports standback out of the box via `--exclude-newer`. pip originally only accepted absolute dates, but as of version 26.1, it natively supports relative durations via the `PnD` format[^1].\n\nThe OS and runtime layer is where things get inconsistent. [mise](https://mise.jdx.dev/) handles it well, supporting both relative durations and absolute timestamps. brew and winget, however, don't support standback at all. Their maintainers argue that existing review cycles make it unnecessary, a position [Andrew Nesbitt expands on](https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html). I'm not fully convinced. Slip-ups happen, and malicious actors are patient. A review cycle and a grace period don't have to be mutually exclusive.\n\n## Quick Reference\n\n### JavaScript\n\n#### npm\n\n- `--before` (`date`): Absolute date before which a package must have been published.\n- `--min-release-age` (`days`): Relative date computed through `today - n days`, before which a package must have been published.\n\n```bash frame=\"terminal\" title=\"CLI usage\"\nnpm install --before 2024-01-01\nnpm install --min-release-age 4\n```\n\n<br/>\n\n```ini frame=\"code\"\n<!-- .npmrc -->\nbefore = 2024-01-01\nmin-release-age = 4\n```\n\n#### pnpm\n\n- `minimumReleaseAge` (`minutes`): Number of minutes that must have passed since a package has been published.\n- `minimumReleaseAgeExclude` (`string[]`): Names of packages which should not be affected by the `minimumReleaseAge` rule.\n\n```bash frame=\"terminal\" title=\"CLI usage\"\npnpm install --minimum-release-age 1440\n```\n\n<br/>\n\n```yaml frame=\"code\"\n<!-- pnpm-workspace.yaml -->\nminimumReleaseAge: 1440\nminimumReleaseAgeExclude:\n    - webpack\n    - react\n```\n\nFor more advanced logic, such as filtering by `peerDependency` versions, pnpm also exposes standback via [`.pnpmfile.cjs`](https://pnpm.io/pnpmfile):\n\n```js frame=\"code\"\n<!-- .pnpmfile.cjs -->\n// Example taken from https://pnpm.io/blog/releases/10.16\nmodule.exports = {\n\tfinders: {\n\t\treact17: (ctx) => {\n\t\t\treturn ctx.readManifest().peerDependencies?.react === \"^17.0.0\";\n\t\t},\n\t},\n};\n```\n\n#### bun\n\n- `minimumReleaseAge` (`seconds`): Number of seconds that must have passed since a package has been published.\n- `minimumReleaseAgeExcludes` (`string[]`): Names of packages which should not be affected by the `minimumReleaseAge` rule.\n\n```bash frame=\"terminal\" title=\"CLI usage\"\nbun add @types/bun --minimum-release-age 259200\n```\n\n<br/>\n\n```toml frame=\"code\"\n<!-- bunfig.toml -->\n[install]\nminimumReleaseAge = 259200\nminimumReleaseAgeExcludes = [\"@types/node\", \"typescript\"]\n```\n\n#### taze\n\n- `--maturity-period` (`days`): Number of days that must have passed since a package has been published.\n\n```bash frame=\"terminal\" title=\"CLI usage\"\npnpm dlx taze --maturity-period 14\n```\n\n<br/>\n\n```ts frame=\"code\"\n<!-- taze.config.ts -->\nimport { defineConfig } from \"taze\";\n\nexport default defineConfig({\n\tmaturityPeriod: 14,\n});\n```\n\n### Python\n\n#### uv\n\n- `--exclude-newer` (`date`): Absolute timestamp before which packages must have been published.\n\n```bash frame=\"terminal\" title=\"CLI usage\"\nuv pip install --exclude-newer 2026-01-01T00:00:00Z litellm\nuv add --exclude-newer 2026-01-01T00:00:00Z litellm\n```\n\n<br/>\n\n```toml frame=\"code\"\n<!-- pyproject.toml -->\n[tool.uv]\nexclude-newer = \"2026-01-01T00:00:00Z\"\n```\n\n<br/>\n\n```toml frame=\"code\"\n<!-- uv.toml -->\n[uv]\nexclude-newer = \"2026-01-01T00:00:00Z\"\n```\n\n#### pip\n\n- `--uploaded-prior-to` (`date | duration`): Absolute timestamp or relative duration (since pip 26.1).\n- `PIP_UPLOADED_PRIOR_TO` (`env`): Global equivalent of `--uploaded-prior-to`.\n\nAs of pip 26.1, the `PnD` format (where `n` is the number of days) is supported for relative durations. For older versions or more complex offsets, a shell expression is still required:\n\n```bash frame=\"terminal\" title=\"CLI usage\"\n# Native relative duration (pip 26.1+)\npip install litellm --uploaded-prior-to P7D\n\n# Absolute timestamp\npip install litellm --uploaded-prior-to 2026-01-01T00:00:00Z\n\n# Shell wrapper (pre-26.1)\npip install litellm --uploaded-prior-to $(date -v-3d \"+%Y-%m-%dT%H:%M:%SZ\")\n```\n\n<br/>\n\n```sh frame=\"code\"\n<!-- .bashrc -->\n# pip 26.1+\nexport PIP_UPLOADED_PRIOR_TO=\"P7D\"\n\n# pre-26.1\nexport PIP_UPLOADED_PRIOR_TO=$(date -u -v-3d \"+%Y-%m-%dT%H:%M:%SZ\")\n```\n\n```powershell frame=\"code\"\n<!-- profile.ps1 -->\n$env:PIP_UPLOADED_PRIOR_TO = \"P7D\"\n```\n\n### OS & Runtime\n\n#### mise\n\n- `install_before` (`duration | date`): Relative durations (`7d`, `6m`, `1y`) or absolute timestamps (`2024-06-01`, `2024-06-01T12:00:00Z`).\n\n```toml frame=\"code\"\n<!-- mise.toml -->\n[settings]\ninstall_before = \"7d\"\n```\n\n#### brew & winget\n\nNot supported, and not planned.\n\n[^1]: https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/#dependency-cooldowns"
}