The problem

In the last two months, the Python community has seen serious supply chain attacks.

In March, LiteLLM was compromised to steal credentials. Last week, PyTorch Lightning suffered a similar attack where malicious versions tried to steal cloud secrets and SSH keys.

In both cases, the bad code was found and removed quickly. However, anyone who updated their packages during those few hours was at risk.

The (imperfect) solution

To protect yourself, add these lines to your ~/.bashrc or ~/.zshrc file. This tells your tools to ignore any package released in the last week.

# uv: Ignore any package versions released in the last 7 days
export UV_EXCLUDE_NEWER="7 days"

# pip: Ignore any package versions uploaded in the last 7 days
export PIP_UPLOADED_PRIOR_TO=P7D

For per-project constains, update pyproject.toml in the following way:

[tool.uv]
exclude-newer = "1 week"
exclude-newer-package = { "safezip" = "0 days" }

In the example below, the safezip package is excluded from overal project exclude-newer containts of 1 week.

Why this improves security

The "Cooling Off" Period

Most malicious packages are caught by security experts within 48 hours. A seven-day delay ensures that any code you download has been checked by the public for a full week.

Stopping "Fast" Attacks

The PyTorch Lightning attack lasted less than one hour. A one-week buffer makes these short-lived, poisoned releases invisible to your build system.

Reliable Defence

This prevents your update commands from accidentally grabbing a "bleeding edge" version that might be compromised.

By waiting seven days, you lose nothing important but gain a massive increase in security.

The perfect solution that does not yet exist

If only PyPI (and other registries, such as NPM) would start doing preventive scanning of uploaded packages, and only offer scanned/secure packages for download...