pip v26.1 adds support for “Relative Dependency Cooldowns”


            
        April 27, 2026
    
    
pip v26.1 adds support for “Relative Dependency Cooldowns”


        pip v26.1 is an awesome release with multiple new security features. Two months ago I published a blog post about how to hack relative dependency cooldowns into pip v26.0 with crontab. Now with pip v26.1 available, this hack is no longer required! Time to upgrade my pip and delete that cron job...
“Relative dependency cooldowns” are a straightforward “set-and-forget” security policy to use when installing directly from the Python Package Index (PyPI) to a developer machine. Using dependency cooldowns means you will benefit from manual malware reporting, triaging, and removal efforts. The vast majority of malware and supply chain attacks published are detected and removed within hours of being uploaded to the index.
Read more: https://sethmlarson.dev/pip-relative-dependency-cooldowns
    

                                Don't miss what's next. Subscribe to sethmlarson.dev:
                            
                        
            Email address (required)
            
            
          Add a comment:
          
            
    You're not signed in. Posting this comment will subscribe you to this newsletter with the email address you enter below.


                Share this email:
                
                
                                Share on Hacker News
                            
                        
                                Share on Reddit
                            
                        
                                Share via email
                            
                        
                                Share on Mastodon
                            
                        
                                Share on Bluesky