feat: add exclude-newer to filter packages by publish date

.gitignore

@@ -17,3 +17,5 @@
 
 .venv
 /poetry.toml
+/docs/superpowers/plans
+/docs/superpowers/specs

docs/pyproject.md

@@ -746,6 +746,20 @@ If a VCS is being used for a package, the exclude field will be seeded with the
 VCS ignore settings can be negated by adding entries in `include`; be sure to explicitly set the `format` as above.
 {{% /note %}}
 
+### exclude-newer
+
+The `exclude-newer` field in `[tool.poetry]` allows you to exclude package versions that were published within a specified duration. This is useful for avoiding recently published packages with unknown vulnerabilities.
+
+```toml
+[tool.poetry]
+exclude-newer = "1 week"
+```
+
+Supported duration formats include: `seconds`, `minutes`, `hours`, `days`, `weeks`, `months`, `years` (e.g., "3 days", "2 weeks", "1 month").
+
+When set, Poetry will not consider any package version where any file was uploaded within the specified duration. If a package version has multiple files (e.g., wheel and source tarball), it will be excluded if **any** file was uploaded within the duration. Packages without upload time information are included by default (assumed to be older).
+
+
 ### dependencies and dependency groups
 
 Poetry is configured to look for dependencies on [PyPI](https://pypi.org) by default.

pyproject.toml

@@ -29,6 +29,8 @@ dependencies = [
     "findpython (>=0.6.2,<0.8.0)",
     # pbs-installer uses calver, so version is unclamped
     "pbs-installer[download,install] (>=2025.6.10)",
+    "pytimeparse (>=1.1.8)",
+    "python-dateutil (>=2.9.0)"
 ]
 authors = [
     { name = "Sébastien Eustace", email = "sebastien@eustace.io" }
@@ -196,6 +198,7 @@ markers = [
 ]
 log_cli_level = "INFO"
 xfail_strict = true
+pythonpath = ["src"]
 
 
 [tool.coverage.report]

src/poetry/console/application.py

@@ -617,6 +617,7 @@ def configure_installer_for_command(command: InstallerCommand, io: IO) -> None:
             poetry.config,
             disable_cache=poetry.disable_cache,
             build_constraints=poetry.build_constraints,
+            exclude_newer=poetry.exclude_newer,
         )
         command.set_installer(installer)
 

src/poetry/console/commands/installer_command.py

@@ -25,6 +25,7 @@ def reset_poetry(self) -> None:
 
         self.installer.set_package(self.poetry.package)
         self.installer.set_locker(self.poetry.locker)
+        self.installer.set_exclude_newer(self.poetry.exclude_newer)
 
     @property
     def installer(self) -> Installer:

src/poetry/console/commands/show.py

@@ -652,7 +652,12 @@ def find_latest_package(
         if package.is_direct_origin():
             for dep in requires:
                 if dep.name == package.name and dep.source_type == package.source_type:
-                    provider = Provider(root, self.poetry.pool, NullIO())
+                    provider = Provider(
+                        root,
+                        self.poetry.pool,
+                        NullIO(),
+                        exclude_newer=self.poetry.exclude_newer,
+                    )
                     return provider.search_for_direct_origin_dependency(dep)
 
         allow_prereleases: bool | None = None

src/poetry/factory.py

@@ -26,6 +26,7 @@
 from poetry.poetry import Poetry
 from poetry.pyproject.toml import PyProjectTOML
 from poetry.toml.file import TOMLFile
+from poetry.utils.duration import parse_duration
 from poetry.utils.isolated_build import CONSTRAINTS_GROUP_NAME
 
 
@@ -79,6 +80,11 @@ def create_poetry(
 
         base_poetry = super().create_poetry(cwd=cwd, with_groups=with_groups)
 
+        # Parse exclude-newer duration if specified
+        exclude_newer = None
+        if exclude_newer_str := base_poetry.local_config.get("exclude-newer"):
+            exclude_newer = parse_duration(exclude_newer_str)
+
         build_constraints: dict[NormalizedName, list[Dependency]] = {}
         for name, constraints in base_poetry.local_config.get(
             "build-constraints", {}
@@ -131,6 +137,8 @@ def create_poetry(
             build_constraints=build_constraints,
         )
 
+        poetry.set_exclude_newer(exclude_newer)
+
         poetry.set_pool(
             self.create_pool(
                 config,

src/poetry/installation/installer.py

@@ -18,6 +18,7 @@
 if TYPE_CHECKING:
     from collections.abc import Iterable
     from collections.abc import Mapping
+    from datetime import datetime
 
     from cleo.io.io import IO
     from packaging.utils import NormalizedName
@@ -47,13 +48,15 @@ def __init__(
         disable_cache: bool = False,
         *,
         build_constraints: Mapping[NormalizedName, list[Dependency]] | None = None,
+        exclude_newer: datetime | None = None,
     ) -> None:
         self._io = io
         self._env = env
         self._package = package
         self._locker = locker
         self._pool = pool
         self._config = config
+        self._exclude_newer = exclude_newer
 
         self._dry_run = False
         self._requires_synchronization = False
@@ -84,6 +87,9 @@ def __init__(
 
         self._installed_repository = installed
 
+    def set_exclude_newer(self, exclude_newer: datetime | None) -> None:
+        self._exclude_newer = exclude_newer
+
     @property
     def executor(self) -> Executor:
         return self._executor
@@ -196,6 +202,7 @@ def _do_refresh(self) -> int:
             locked_repository.packages,
             locked_repository.packages,
             self._io,
+            exclude_newer=self._exclude_newer,
         )
 
         # Always re-solve directory dependencies, otherwise we can't determine
@@ -243,6 +250,7 @@ def _do_install(self) -> int:
                 self._installed_repository.packages,
                 locked_repository.packages,
                 self._io,
+                exclude_newer=self._exclude_newer,
             )
 
             with solver.provider.use_source_root(
@@ -316,6 +324,7 @@ def _do_install(self) -> int:
                 locked_repository.packages,
                 NullIO(),
                 active_root_extras=self._extras,
+                exclude_newer=self._exclude_newer,
             )
             # Everything is resolved at this point, so we no longer need
             # to load deferred dependencies (i.e. VCS, URL and path dependencies)

src/poetry/json/schemas/poetry.json

@@ -33,6 +33,10 @@
           "$ref": "#/definitions/dependencies"
         }
       }
+    },
+    "exclude-newer": {
+      "type": "string",
+      "description": "Duration string to exclude packages published within the specified duration (e.g., '1 week', '3 days')."
     }
   },
   "definitions": {

src/poetry/poetry.py

@@ -13,6 +13,7 @@
 
 if TYPE_CHECKING:
     from collections.abc import Mapping
+    from datetime import datetime
     from pathlib import Path
 
     from packaging.utils import NormalizedName
@@ -50,6 +51,7 @@ def __init__(
         self._plugin_manager: PluginManager | None = None
         self._disable_cache = disable_cache
         self._build_constraints = build_constraints or {}
+        self._exclude_newer: datetime | None = None
 
     @property
     def pyproject(self) -> PyProjectTOML:
@@ -80,6 +82,10 @@ def disable_cache(self) -> bool:
     def build_constraints(self) -> Mapping[NormalizedName, list[Dependency]]:
         return self._build_constraints
 
+    @property
+    def exclude_newer(self) -> datetime | None:
+        return self._exclude_newer
+
     def set_locker(self, locker: Locker) -> Poetry:
         self._locker = locker
 
@@ -95,6 +101,10 @@ def set_config(self, config: Config) -> Poetry:
 
         return self
 
+    def set_exclude_newer(self, exclude_newer: datetime | None) -> Poetry:
+        self._exclude_newer = exclude_newer
+        return self
+
     def get_sources(self) -> list[Source]:
         return [
             Source(**source)

src/poetry/puzzle/provider.py

@@ -8,12 +8,15 @@
 
 from collections import defaultdict
 from contextlib import contextmanager
+from datetime import datetime
+from datetime import timezone
 from typing import TYPE_CHECKING
 from typing import Any
 from typing import ClassVar
 from typing import cast
 
 from cleo.ui.progress_indicator import ProgressIndicator
+from dateutil.parser import isoparse  # type: ignore[import-untyped]
 from poetry.core.constraints.version import EmptyConstraint
 from poetry.core.constraints.version import Version
 from poetry.core.constraints.version import VersionRange
@@ -122,6 +125,7 @@ def __init__(
         *,
         locked: list[Package] | None = None,
         active_root_extras: Collection[NormalizedName] | None = None,
+        exclude_newer: datetime | None = None,
     ) -> None:
         self._package = package
         self._pool = pool
@@ -140,6 +144,7 @@ def __init__(
         self._active_root_extras = (
             frozenset(active_root_extras) if active_root_extras is not None else None
         )
+        self._exclude_newer = exclude_newer
 
         self._explicit_sources: dict[str, str] = {}
         for package in locked or []:
@@ -302,6 +307,11 @@ def search_for(self, dependency: Dependency) -> list[DependencyPackage]:
 
         packages = self._pool.find_packages(dependency)
 
+        if self._exclude_newer is not None:
+            packages = [
+                p for p in packages if not self._is_package_excluded_by_newer(p)
+            ]
+
         packages.sort(
             key=lambda p: (
                 not p.yanked,
@@ -313,6 +323,17 @@ def search_for(self, dependency: Dependency) -> list[DependencyPackage]:
 
         return PackageCollection(dependency, packages)
 
+    def _is_package_excluded_by_newer(self, package: Package) -> bool:
+        if self._exclude_newer is None:
+            return False
+        for file in package.files or []:
+            upload_time_str = file.get("upload_time")
+            if upload_time_str:
+                upload_time = isoparse(upload_time_str).astimezone(timezone.utc)
+                if upload_time > self._exclude_newer:
+                    return True
+        return False
+
     def _search_for_vcs(self, dependency: VCSDependency) -> Package:
         """
         Search for the specifications that match the given VCS dependency.

src/poetry/puzzle/solver.py

@@ -26,6 +26,7 @@
     from collections.abc import Collection
     from collections.abc import Iterator
     from collections.abc import Sequence
+    from datetime import datetime
 
     from cleo.io.io import IO
     from packaging.utils import NormalizedName
@@ -56,6 +57,7 @@ def __init__(
         locked: list[Package],
         io: IO,
         active_root_extras: Collection[NormalizedName] | None = None,
+        exclude_newer: datetime | None = None,
     ) -> None:
         self._package = package
         self._pool = pool
@@ -69,6 +71,7 @@ def __init__(
             self._io,
             locked=locked,
             active_root_extras=active_root_extras,
+            exclude_newer=exclude_newer,
         )
         self._overrides: list[dict[Package, dict[str, Dependency]]] = []
 

src/poetry/utils/duration.py

@@ -0,0 +1,41 @@
+from __future__ import annotations
+
+import re
+
+from datetime import datetime
+from datetime import timezone
+
+import pytimeparse  # type: ignore[import-untyped]
+
+from dateutil.relativedelta import relativedelta  # type: ignore[import-untyped]
+
+
+def parse_duration(duration_str: str) -> datetime:
+    """
+    Parse a human-readable duration string to a datetime.
+
+    Converts strings like "1 week", "3 days", "2 months" to a datetime
+    representing the cutoff point (current time minus the duration).
+
+    :param duration_str: A human-readable duration string (e.g., "1 week")
+    :return: A datetime object representing the cutoff time
+    :raises ValueError: If the duration string is invalid
+    """
+    if not duration_str:
+        raise ValueError("Invalid duration: empty string")
+
+    # Handle month-based durations explicitly since pytimeparse doesn't support them
+    month_match = re.match(r"^(\d+)\s*months?$", duration_str.strip(), re.IGNORECASE)
+    if month_match:
+        months = int(month_match.group(1))
+        now = datetime.now(timezone.utc)
+        return now - relativedelta(months=months)  # type: ignore[no-any-return]
+
+    # pytimeparse returns seconds as an integer or None on failure
+    seconds = pytimeparse.parse(duration_str)
+
+    if seconds is None:
+        raise ValueError(f"Invalid duration: {duration_str!r}")
+
+    now = datetime.now(timezone.utc)
+    return now - relativedelta(seconds=seconds)  # type: ignore[no-any-return]

src/poetry/utils/env/base_env.py

@@ -28,7 +28,6 @@
 if TYPE_CHECKING:
     from packaging.tags import Tag
     from poetry.core.version.markers import BaseMarker
-    from virtualenv.seed.wheels.util import Wheel
 
     from poetry.utils.env.generic_env import GenericEnv
 
@@ -162,9 +161,10 @@ def find_executables(self) -> None:
         self._find_pip_executable()
 
     def get_embedded_wheel(self, distribution: str) -> Path:
-        wheel: Wheel = get_embed_wheel(
+        wheel = get_embed_wheel(
             distribution, f"{self.version_info[0]}.{self.version_info[1]}"
         )
+        assert wheel is not None
         path: Path = wheel.path
         return path
 

tests/fixtures/complete.toml

@@ -15,6 +15,8 @@ documentation = "https://python-poetry.org/docs"
 
 keywords = ["packaging", "dependency", "poetry"]
 
+exclude-newer = "1 week"
+
 # Requirements
 [tool.poetry.dependencies]
 python = "~2.7 || ^3.2"  # Compatible python versions must be declared here