28 lines
1.7 KiB
TOML
28 lines
1.7 KiB
TOML
# Fail loudly on a uv too old to honor the cooldown below: relative
|
|
# `exclude-newer` durations parse from 0.11, and the lockfile sentinel
|
|
# handling that keeps `uv sync --locked` stable landed in 0.11.8.
|
|
required-version = ">=0.11.8"
|
|
|
|
# Dependency cooldown: never resolve a distribution uploaded within the
|
|
# last 7 days, so a compromised or yanked release has a window to surface
|
|
# before it gets pinned. uv records the relative span in uv.lock (as
|
|
# `exclude-newer-span`) rather than a fixed date, so the pinned versions
|
|
# stay reproducible and `uv sync --locked` keeps passing; the cooldown is
|
|
# only re-applied when a resolution actually runs (`uv lock`, `--upgrade`,
|
|
# `--refresh`, or a dependency change).
|
|
exclude-newer = "P7D"
|
|
|
|
# Per-package cooldown exemptions (each scoped to one package, a fixed date
|
|
# just past its publish time, so the global P7D supply-chain cooldown still
|
|
# guards every other dependency):
|
|
# - cwsandbox: first-party CoreWeave SDK pinned to an exact, tested version
|
|
# (the `cwsandbox` extra), published 2026-06-11. Drop once aged past P7D.
|
|
# - google-antigravity: the SDK the `antigravity` harness drives (the
|
|
# `antigravity` extra in pyproject), published 2026-06-11. Drop once aged
|
|
# past P7D.
|
|
# - cryptography / pydantic-settings: open security advisories. Exempted so the
|
|
# patched releases (48.0.1 / 2.14.2) are resolvable now rather than after the
|
|
# P7D window; the bump itself is applied via `/regen upgrade cryptography
|
|
# pydantic-settings` (uv lock --upgrade-package). Drop once both aged past P7D.
|
|
exclude-newer-package = { cwsandbox = "2026-06-12T00:00:00Z", google-antigravity = "2026-06-12T00:00:00Z", cryptography = "2026-06-26T00:00:00Z", pydantic-settings = "2026-06-26T00:00:00Z" }
|