pip v26.1 adds support for “Relative Dependency Cooldowns”
pip v26.1 is an awesome release with multiple new security features. Two months ago I published a blog post about how to hack relative dependency cooldowns into pip v26.0 with crontab. Now with pip v26.1 available, this hack is no longer required! Time to upgrade my pip and delete that cron job...
“Relative dependency cooldowns” are a straightforward “set-and-forget” security policy to use when installing directly from the Python Package Index (PyPI) to a developer machine. Using dependency cooldowns means you will benefit from manual malware reporting, triaging, and removal efforts. The vast majority of malware and supply chain attacks published are detected and removed within hours of being uploaded to the index.
Read more: https://sethmlarson.dev/pip-relative-dependency-cooldowns
Add a comment: