[codex] add uv dependency cooldown#130
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a tool.uv configuration to pyproject.toml to implement a dependency cooldown using exclude-newer. The review feedback correctly identifies that using relative durations like "14 days" within the configuration file leads to non-deterministic dependency resolution, as the results depend on the date the resolution is run. It is recommended to use a fixed RFC 3339 timestamp or move this setting to a CLI flag in the CI pipeline to ensure reproducible builds.
|
this should probably be in the ci only. People install this directly themselves |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fac10f2bb7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "Codex (@codex) review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".
Hynek Kydlíček (hynky1999)
force-pushed
the
codex/add-uv-pypi-exclude-newer
branch
from
fac10f2 to
7b3c2e9
Compare
But then i just get pwned when i install package localy during dev.... 14 days is fine enough, i find it hard to see where people would be severly limited by this |
it's still super weird, i dont want to start getting weird version conflicts just because one of the packages i am using is weird |
|
Let's just make sure our own CI uses this imo |
|
No it's disaster waiting to happen, look at this: https://x.com/SocketSecurity/status/2054048025081737446 |
but you won't get them uv will resolve |
|
strongly against this, mixing a bunch of things together. I agree with adding it to our CI, but not with arbitrarily adding random constraints on every downstream consumer |
It's not mixing bunch of things together. Adding this to CI is kinda useless beyond preventing supply-chain attack on the package itself. Look at even the current supply chain attack, it's designed with dev machines in mind. We are literally waiting for one of the packages to get supply chained that your whole dev machine is compromised |
yeah which is our core responsibility to avoid. The rest is really not up to us imo. if each package maintainer started adding these things with some arbitrary time cutoff it'd be a mess. Besides, if someone doesn't use uv or has some other package that brings stuff in anyway this is all pointless. |
Why would this be a mess ? The whole point UV / package manager is to fine combination of of versions/packages that works, how would this be a mess ? Point in case https://github.com/BerriAI/litellm/blob/litellm_internal_staging/pyproject.toml#L223, they got recently pwned. The whole point is to prevent devs from getting fucked as well as anybody who install stuff to getting fucked.
And how do you plan to prevent this exactly ? How do you prevent dependencies from getting supply chained ? |
|
Also, this won't prevent people that just install the package from PIP, to install whatever they want. This only apply for uv sync |
We prevent supply chained dependencies from supply chaining us through our CI by enforcing the rule on our own CI.
exactly, that's what I meant when I said "Besides, if someone doesn't use uv or has some other package that brings stuff in anyway this is all pointless." Strongly against this |
No you are not, you can always enforce package versions, by excluding temporarly this packages |
yes the whole point is to prevent people working on this package, to get compromised |
|
How else do you think all these other packages like mistralai got compromised ? Simply because devs installed tanstack on their own computer, which had access to ssh keys etc and published a comprised version |
|
Like tell me, what will this restriction prevent you from doing ? If you relly need a version of package that's newer than 14 days, we can always temp disable this. |
This assumes you will actually keep track of all critical security fixes that happened in the last 14 days 24/7, which realistically you won't.
Sure, but then you should just instruct codex or add something locally to prevent it on your own setup. You don't need to impact everyone using refiner.
this is not the right question. the right question is: do you need to impact every single person that will use the package just to address 2 people's setups? Surely it makes more sense to enforce security guarantees on those people's setups than to just do this for everyone |
No not true. There is big diff right. Changing this means somebody has to go and do work, which also means he should be very sure he is NOT exposing himself to such vuln. Compared to not having this, where you are exposed 24/7 unknowingly.
This is not true, if people get owned by having your package installed the blame will go on the people maintaining it. If you get supply chain attacked what do you tell me ? Git gud noob, you should have protected yourself (very few people know about this setting in uv) ? Or it's not my fault it's fault of the package that we got supply chain by ? Neither of this is right response
I am okay with reducing time, we can do like 3 days. But for sure we want to have this. Also what's better re-evaluating policy once you get attacked ? Or re-evaluating when we actually see real arguments against it -> e.g people having issue because it doesn't let them installed packaged released 2 days ago ? Clearly second is way better. |
Ok but he might be exposed to other vulnerabilities that have been patched? The argument applies both ways, and you are implicitly choosing one kind of vulnerabilities (supply chain attacks that are detected in a few hours over other types of security vulnerabilities or bugs that have been patched in newer versions)
Maybe we are not talking about the same thing. If refiner itself gets supply chain pwned, that is a big problem. If a dependency of refiner is, then no one will blame you. Just like now people are not blaming the packages that depend on tanstack! And maybe we can tone down the dumb rhetoric? wtf is this "Git gud noob, you should have protected yourself"
I care about two issues:
The first is something that is our responsibility as maintainers. It makes sense to harden our CI so that the tanstack issue doesn't happen, either directly (in their case it was some cache bullshit) or through another compromised package running on our CI. The second is something we should address by hardening our own individual local setups. Forcing people to use outdated package versions when they install refiners is not something you should do in any case. Besides this timestamp thing brings all sorts of reproducibility issues. If you want something like this then what people do is just pin the versions. We can pin the versions and update them every now and then after checking if you really insist, but the timestamp thing makes no sense as a thing you are distributing |
Not really, because if you uv sync you will get what's inside the uv.lock, that's the beauty of it it will not upgrade by default. So without this you still have the same exact problem. And this is quite sensible default, you want no upgrade by default + have depedency bot to tell you you should upgrade. Same reason why linux servers don't bump version on every new update, only gets updated once in a while or because of security vulns.
Two things:
refiner itself being compromised, in the sense that some version is pushed to pypi with malicious code (what happened to tanstack) The second is something we should address by hardening our own individual local setups.
See point 1, you arleady do this with the frozen lock and its sensible default.
I don't understand the issue with timestamp and reproducibility really. That's uv.lock responsibility Really the only argument against this is if vllm releases a new version and you need this version to run a model. Beyond this there is no good argument against this. |
So yeah we can do 3 days and see if it's indeed a problem or not. |
but that's still quite different. pinning versions is much more reasonable than this time based thing.
You're much more likely to be compromised from some other random package you are using in something else, this is just one package. This doesn't really protect you from all other issues you can have on your local machine.
ok but then what is the point of adding this in the first place? what is it actually doing then?
I think the burden of proof is reversed, what does this thing actually solve that pinning versions or just relying on uv.lock doesnt solve? |
2 participants
Summary
Adds a global uv dependency cooldown so package resolution ignores distributions uploaded within the last 14 days. This follows uv's current dependency cooldown documentation for
[tool.uv] exclude-newer.The lockfile was refreshed with uv 0.11.13 so it records the relative cooldown metadata without changing resolved package versions.
Validation
uv --version:uv 0.11.13 (Homebrew 2026-05-11 aarch64-apple-darwin)uv lock --check: resolved 80 packages successfullyuv run pytest: 549 passed in 78.87suv run pytest tests/test_optional_dependencies.py: 1 passed in 1.11sNotes
Older uv versions, including 0.9.14, warn on friendly duration syntax in
[tool.uv]. uv 0.11.13 acceptsexclude-newer = "14 days"and writes the expected lock metadata.