{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreihdoqwsms5vldxfr2jjruhcqq66icurdml3ncdllsyxncappa2dim",
"uri": "at://did:plc:xrpvi727ccnv4bnwaedgs3gd/app.bsky.feed.post/3mgdswq7deyg2"
},
"path": "/pip-relative-dependency-cooling-with-crontab?utm_campaign=rss",
"publishedAt": "2026-03-04T00:00:00.000Z",
"site": "https://sethmlarson.dev",
"tags": [
"added support for the `--uploaded-prior-to` option",
"dependency cooldowns",
"William Woodruff",
"relatively short attack-window time",
"global configuration file to a relative value",
"setting a relative value",
"doesn't support relative ranges yet"
],
"textContent": "> **WARNING:** Most of this blog post is a hack, everyone should probably just wait for relative dependency cooldowns to come to a future version of pip.\n\npip v26.0 added support for the `--uploaded-prior-to` option. This new option enables implementing “dependency cooldowns”, a technique described by William Woodruff, that provides simple but effective protections for the relatively short attack-window time of malware published to public software repositories. This brings the reaction time to malware back within the realm of humans, who sometimes need to execute manual triage processes to take down malware from PyPI.\n\nSo if you set `--uploaded-prior-to` to 7 days before this post was published, February 25th, you'd do so like this:\n\n\n python -m pip install \\ --uploaded-prior-to=2026-02-25 \\ urllib3\n\nBut this is only an absolute date, and we have to remember to set the option on each call to `pip install`? That seems like a lot of work!\n\nDependency cooldowns work best when the policy can be set in a global configuration file to a relative value like “7 days”. The “window” of acceptable packages is then automatically updating over time without needing to set a new absolute value constantly. “Set-and-forget”-style.\n\nuv allows setting a relative value via `--exclude-newer`, but pip doesn't support relative ranges yet. I mostly use pip and still wanted to test this feature today, so I created a little hack to update my user `pip.conf` configuration file on a regular basis instead. Here's what my `pip.conf` file looks like:\n\n\n [install] uploaded-prior-to = 2026-02-25\n\nAnd below is the entire Python script doing the updating. Quick reminder that I only tested this on my own system, your mileage may vary, do not use in production.\n\n\n #!/usr/bin/python3 # License: MIT import datetime import sys import os import re def main() -> int: # Parse the command line options. pip_conf = os.path.abspath(os.path.expanduser(sys.argv[1])) days = int(sys.argv[2]) # Load the existing pip.conf file. try: with open(pip_conf, \"r\") as f: pip_conf_data = f.read() except FileNotFoundError: print(f\"Could not find pip.conf file at: {pip_conf}\") return 1 # Update the existing uploaded-prior-to value. uploaded_prior_to_re = re.compile( r\"^uploaded-prior-to\\s*=\\s*2[0-9]{3}-[0-9]{2}-[0-9]{2}$\", re.MULTILINE ) if not uploaded_prior_to_re.search(pip_conf_data): print(\"Could not find uploaded-prior-to option in pip.conf under [install]\") return 1 new_uploaded_prior_to = ( datetime.date.today() - datetime.timedelta(days=days) ).strftime(\"%Y-%m-%d\") pip_conf_data = uploaded_prior_to_re.sub( f\"uploaded-prior-to = {new_uploaded_prior_to}\", pip_conf_data ) # Write the new uploaded-prior-to # value to pip.conf with open(pip_conf, \"w\") as f: f.write(pip_conf_data) return 0 if __name__ == \"__main__\": sys.exit(main())\n\nThe script takes two parameters, your `pip.conf` file you want to update (typically `~/.config/pip/pip.conf` on Linux) and an integer number of days. I used 14 in my cron example below.\n\nSimple right? I installed and `chmod u+X`-ed the script in my `/usr/local/bin` directory and then added to my crontab using `crontab -u (USERNAME) -e`:\n\n\n 0 * * * * (/usr/local/bin/pip-dependency-cooldown /home/sethmlarson/.config/pip/pip.conf 14) 2>&1 | logger -t pip-dependency-cooldown\n\nThis pattern will run the script once per hour and update the value of `uploaded-prior-to` to the new day. Now I only receive packages that were published 14 or more days ago by default when running `pip install` without any other options.\n\nStay tuned for more about dependency cooldowns for Python installers once pip supports relative values.\n\n\n\n\n* * *\n\nThanks for keeping RSS alive! ♥",
"title": "Relative “Dependency Cooldowns” in pip v26.0 with crontab",
"updatedAt": "2026-03-04T00:00:00.000Z"
}