Relative “Dependency Cooldowns” in pip v26.0 with crontab


            
        March 6, 2026
    
    
Relative “Dependency Cooldowns” in pip v26.0 with crontab


        WARNING: Most of this blog post is a hack, everyone should probably just wait for relative dependency cooldowns to come to a future version of pip.
pip v26.0 added support for the --uploaded-prior-to option. This new option enables implementing “dependency cooldowns”, a technique described by William Woodruff, that provides simple but effective protections for the relatively short attack-window time of malware published to public software repositories. This brings the reaction time to malware back within the realm of humans, who sometimes need to execute manual triage processes to take down malware from PyPI.
Read more: https://sethmlarson.dev/pip-relative-dependency-cooling-with-crontab
    

                                Don't miss what's next. Subscribe to sethmlarson.dev:
                            
                        
            Email address (required)
            
            
          Add a comment:
          
            
    You're not signed in. Posting this comment will subscribe you to this newsletter with the email address you enter below.


                Share this email:
                
                
                                Share on Hacker News
                            
                        
                                Share on Reddit
                            
                        
                                Share via email
                            
                        
                                Share on Mastodon
                            
                        
                                Share on Bluesky