{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreify7uriyidiivpm5x3tbuypfro5oir6auadl4zopmodwwumd7hnty",
    "uri": "at://did:plc:xrpvi727ccnv4bnwaedgs3gd/app.bsky.feed.post/3mkj3rsuzixa2"
  },
  "path": "/pip-relative-dependency-cooldowns?utm_campaign=rss",
  "publishedAt": "2026-04-27T00:00:00.000Z",
  "site": "https://sethmlarson.dev",
  "tags": [
    "Python Software Foundation",
    "Alpha-Omega",
    "published a blog post",
    "hack relative dependency cooldowns into pip v26.0",
    "pip v26.1 available",
    "pip v26.1",
    "Python Package Index",
    "manual malware reporting, triaging, and removal efforts",
    "Using relative dependency cooldowns",
    "Andrew Nesbitt",
    "comprehensive review of dependency cooldowns",
    "originally published this approach"
  ],
  "textContent": "> My work as the Security Developer-in-Residence at the Python Software Foundation is sponsored by Alpha-Omega. Thanks to Alpha-Omega for supporting security in the Python ecosystem.\n\nI published a blog post two months ago about how to hack relative dependency cooldowns into pip v26.0 with crontab. Now with pip v26.1 available, this hack is no longer required! Time to upgrade my pip and delete that cron job...\n\nNow in pip v26.1 you can use `uploaded-prior-to` in your `~/.config/pip/pip.conf` file or `--uploaded-prior-to=` as a CLI option with relative RFC 3339 duration values. pip supports setting days using “`PND`” where `N` is the number of days.\n\nFor example, using the following as your `~/.config/pip/pip.conf` file will only install packages that are at least 7 days old on the Python Package Index:\n\n\n    [install] uploaded-prior-to = P7D\n\nBecause this setting is in your global pip config, it means that you won't have to remember to set the option when invoking `pip install`. Using a relative value also means you won't have to repeatedly set new dates to receive new releases of the packages you use.\n\nUsing relative dependency cooldowns means that installing directly from a public index such as the Python Package Index (PyPI) will benefit from manual malware reporting, triaging, and removal efforts. The vast majority of malware and supply chain attacks published are detected and removed within hours of being uploaded to the index. Using relative dependency cooldowns means indexes have time to respond to malicious software and keep you safe.\n\nReminder that dependency cooldowns should be paired with a dependency management strategy that **prioritizes dependency releases that fix vulnerabilities**. You don't want to be waiting for days for a dependency cooldown to clear while your service is vulnerable. Managing, reviewing, upgrading, and deploying vulnerability patches should be a **deliberate task** , not one that happens \"on-accident\" due to an upgrade-by-default installation strategy.\n\nAndrew Nesbitt has published a comprehensive review of dependency cooldowns across many different package managers. Thanks to William Woodruff who originally published this approach.\n\n\n\n\n* * *\n\nThanks for keeping RSS alive! ♥",
  "title": "pip v26.1 adds support for relative dependency cooldowns",
  "updatedAt": "2026-04-27T00:00:00.000Z"
}