Using a config such as exclude-newer = "1 weeks" in ~/.config/uv/uv.toml or other supported files will limit the usage of recent dependency releases. This gives time to the community to detect compromised dependencies. For example, see https://docs.litellm.ai/blog/security-update-march-2026 for a recent example of a compromised artifact.
One method of guarding against these supply chain attacks is to never use recently released dependency versions. Using exclude-newer in uv is one way to accomplish this. However, it seems nexus does not support PEP 700 which adds upload-time data which I believe is required for exclude-newer to work.
Without this upload date stored in nexus on a python package, uv will output warnings about all dependencies that it cannot find upload-time for and it cannot then use the exclude-newer configuration.
Acceptance Criteria:
- Add PEP 700 support
- Verify uv with
exclude-newer works properly
Using a config such as
exclude-newer = "1 weeks"in~/.config/uv/uv.tomlor other supported files will limit the usage of recent dependency releases. This gives time to the community to detect compromised dependencies. For example, see https://docs.litellm.ai/blog/security-update-march-2026 for a recent example of a compromised artifact.One method of guarding against these supply chain attacks is to never use recently released dependency versions. Using
exclude-newerinuvis one way to accomplish this. However, it seems nexus does not support PEP 700 which adds upload-time data which I believe is required forexclude-newerto work.Without this upload date stored in nexus on a python package,
uvwill output warnings about all dependencies that it cannot find upload-time for and it cannot then use theexclude-newerconfiguration.Acceptance Criteria:
exclude-newerworks properly