I think uv should get some credit for being an early supporter of this. They originally added it as a hidden way to create stable fixtures for their own tests, but it has become a pretty popular flag to use.

This for instance will only install packages that are older than 14 days:

uv sync --exclude-newer $(date -u -v-14d '+%Y-%m-%dT%H:%M:%SZ')

It's great to see this kind of stuff being adopted in more places.

▲ mcintyre1994 6 days ago | parent [-]

Nice, but I think the config file is a much better implementation for protecting against supply chain attacks, particularly those targeting developers rather than runtime. You don’t want to rely on every developer passing a flag every time they install. This does suffer from the risk of using `npm install` instead of `pnpm install` though.

It would also be nice to have this as a flag so you can use it on projects that haven't configured it though, I wonder if that could be added too.

▲ ramses0 6 days ago | parent | next [-]

Just Minimum Version Selection in conjunction with "Minimum non-Vulnerable Version" (and this "--minAge") would do a lot, and effectively suss out a lot of poorly/casually maintained packages (eg: "finished" ones).

https://research.swtch.com/vgo-mvs#upgrade_timing

MVS makes tons of sense that you shouldn't randomly uptake "new" packages that haven't been "certified" by package maintainers in their own dependencies.

In the case of a vulnerable sub-dependency, you're effectively having to "do the work" to certify that PackageX is compatible with PackageY, and "--minAge" gives industry (and maintainers) time to scan before insta-pwning anyone who is unlucky that day.

▲ cap11235 6 days ago | parent | prev [-]

You can put the uv setting in pyproject.toml or uv.toml.

	▲	fainpul 6 days ago \| parent \| next [-]
		But then you have to hardcode a timestamp, since this is not gonna work in uv.toml: `exclude-newer = $(date -uv -14d '+%Y-%m-%dT%H:%M:%SZ')`
	▲	mcintyre1994 6 days ago \| parent \| prev [-]
		Nice, supporting both definitely seems ideal.