From d9b40cd58e95eea2d955b468c05de10487ebc181 Mon Sep 17 00:00:00 2001
From: James Williams <29534093+williajm@users.noreply.github.com>
Date: Fri, 3 Apr 2026 18:06:41 +0100
Subject: [PATCH] security: Add uv dependency cooldown (exclude-newer P3D)

Enforce a 3-day cooldown on newly published PyPI packages via uv's
exclude-newer setting. This gives the community time to detect and
quarantine compromised releases before they're pulled into builds,
as recommended by the PyPI incident report on the litellm/telnyx
supply chain attacks (2026-04-02).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index de66019..0426e1a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -104,6 +104,9 @@ exclude = [
     "CLAUDE.md",
 ]
 
+[tool.uv]
+exclude-newer = "P3D"  # Supply chain safety: avoid packages published < 3 days ago
+
 [tool.ruff]
 line-length = 100
 target-version = "py311"