<?xml version="1.0" encoding="utf-8"?>
<feed xml:lang="en-us" xmlns="http://www.w3.org/2005/Atom"><title>Simon Willison's Weblog: dependency-cooldowns</title><link href="http://feeds.simonwillison.net/" rel="alternate"/><link href="http://feeds.simonwillison.net/tags/dependency-cooldowns.atom" rel="self"/><id>http://feeds.simonwillison.net/</id><updated>2026-07-14T22:43:35+00:00</updated><author><name>Simon Willison</name></author><entry><title>Quoting GitHub Changelog</title><link href="https://simonwillison.net/2026/Jul/14/github-changeling/#atom-tag" rel="alternate"/><published>2026-07-14T22:43:35+00:00</published><updated>2026-07-14T22:43:35+00:00</updated><id>https://simonwillison.net/2026/Jul/14/github-changeling/#atom-tag</id><summary type="html">
    &lt;blockquote cite="https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown/"&gt;&lt;p&gt;Dependabot now waits until a new release has been available on its registry for at least three days before opening a version update pull request. This cooldown is now the default and requires no configuration.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p class="cite"&gt;&amp;mdash; &lt;a href="https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-cooldown/"&gt;GitHub Changelog&lt;/a&gt;, embracing &lt;a href="https://simonwillison.net/tags/dependency-cooldowns/"&gt;dependency cooldowns&lt;/a&gt;&lt;/p&gt;

    &lt;p&gt;Tags: &lt;a href="https://simonwillison.net/tags/github"&gt;github&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/packaging"&gt;packaging&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/security"&gt;security&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/dependency-cooldowns"&gt;dependency-cooldowns&lt;/a&gt;&lt;/p&gt;



</summary><category term="github"/><category term="packaging"/><category term="security"/><category term="dependency-cooldowns"/></entry><entry><title>What's new in pip 26.1 - lockfiles and dependency cooldowns!</title><link href="https://simonwillison.net/2026/Apr/28/pip-261/#atom-tag" rel="alternate"/><published>2026-04-28T05:23:05+00:00</published><updated>2026-04-28T05:23:05+00:00</updated><id>https://simonwillison.net/2026/Apr/28/pip-261/#atom-tag</id><summary type="html">
    
&lt;p&gt;&lt;strong&gt;&lt;a href="https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/"&gt;What&amp;#x27;s new in pip 26.1 - lockfiles and dependency cooldowns!&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;
Richard Si describes an excellent set of upgrades to Python's default &lt;code&gt;pip&lt;/code&gt; tool for installing dependencies.&lt;/p&gt;
&lt;p&gt;This version drops support for Python 3.9 - fair enough, since it's been EOL &lt;a href="https://devguide.python.org/versions/"&gt;since October&lt;/a&gt;. macOS still ships with &lt;code&gt;python3&lt;/code&gt; as a default Python 3.9, so I tried out the new Python version against Python 3.14 like this:&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;uv python install 3.14
mkdir /tmp/experiment
cd /tmp/experiment
python3.14 -m venv venv
source venv/bin/activate
pip install -U pip
pip --version
&lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;This confirmed I had &lt;code&gt;pip 26.1&lt;/code&gt; - then I tried out the new lock files:&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;pip lock datasette llm
&lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;This installs Datasette and LLM and all of their dependencies and writes the whole lot to a 519 line &lt;code&gt;pylock.toml&lt;/code&gt; file - &lt;a href="https://gist.github.com/simonw/ff52c33f4d3a381b8e53c6a3aa0213f8"&gt;here's the result&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The new release also supports dependency cooldowns, &lt;a href="https://simonwillison.net/2026/Mar/24/package-managers-need-to-cool-down/"&gt;discussed here previously&lt;/a&gt;, via the new &lt;code&gt;--uploaded-prior-to PXD&lt;/code&gt; option where X is a number of days. The format is &lt;code&gt;P-number-of-days-D&lt;/code&gt;, following &lt;a href="https://en.wikipedia.org/wiki/ISO_8601#Durations"&gt;ISO duration format&lt;/a&gt; but only supporting days.&lt;/p&gt;
&lt;p&gt;I shipped a new release of LLM, version 0.31, &lt;a href="https://simonwillison.net/2026/Apr/24/llm/"&gt;three days ago&lt;/a&gt;. Here's how to use the new &lt;code&gt;--uploaded-prior-to P4D&lt;/code&gt; option to ask for a version that is at least 4 days old.&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;pip install llm --uploaded-prior-to P4D
venv/bin/llm --version
&lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;This gave me version 0.30.

    &lt;p&gt;&lt;small&gt;&lt;/small&gt;Via &lt;a href="https://lobste.rs/s/w2oiaq/what_s_new_pip_26_1_lockfiles_dependency"&gt;Lobste.rs&lt;/a&gt;&lt;/small&gt;&lt;/p&gt;


    &lt;p&gt;Tags: &lt;a href="https://simonwillison.net/tags/packaging"&gt;packaging&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/pip"&gt;pip&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/python"&gt;python&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/security"&gt;security&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/supply-chain"&gt;supply-chain&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/dependency-cooldowns"&gt;dependency-cooldowns&lt;/a&gt;&lt;/p&gt;



</summary><category term="packaging"/><category term="pip"/><category term="python"/><category term="security"/><category term="supply-chain"/><category term="dependency-cooldowns"/></entry><entry><title>Package Managers Need to Cool Down</title><link href="https://simonwillison.net/2026/Mar/24/package-managers-need-to-cool-down/#atom-tag" rel="alternate"/><published>2026-03-24T21:11:38+00:00</published><updated>2026-03-24T21:11:38+00:00</updated><id>https://simonwillison.net/2026/Mar/24/package-managers-need-to-cool-down/#atom-tag</id><summary type="html">
    
&lt;p&gt;&lt;strong&gt;&lt;a href="https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html"&gt;Package Managers Need to Cool Down&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;
Today's &lt;a href="https://simonwillison.net/2026/Mar/24/malicious-litellm/"&gt;LiteLLM supply chain attack&lt;/a&gt; inspired me to revisit the idea of &lt;a href="https://simonwillison.net/2025/Nov/21/dependency-cooldowns/"&gt;dependency cooldowns&lt;/a&gt;, the practice of only installing updated dependencies once they've been out in the wild for a few days to give the community a chance to spot if they've been subverted in some way.&lt;/p&gt;
&lt;p&gt;This recent piece (March 4th) piece by Andrew Nesbitt reviews the current state of dependency cooldown mechanisms across different packaging tools. It's surprisingly well supported! There's been a flurry of activity across major packaging tools, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://pnpm.io/blog/releases/10.16#new-setting-for-delayed-dependency-updates"&gt;pnpm 10.16&lt;/a&gt; (September 2025) — &lt;code&gt;minimumReleaseAge&lt;/code&gt; with &lt;code&gt;minimumReleaseAgeExclude&lt;/code&gt; for trusted packages&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg%2Fcli%2F4.10.0"&gt;Yarn 4.10.0&lt;/a&gt; (September 2025) — &lt;code&gt;npmMinimalAgeGate&lt;/code&gt; (in minutes) with &lt;code&gt;npmPreapprovedPackages&lt;/code&gt; for exemptions&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bun.com/blog/bun-v1.3#minimum-release-age"&gt;Bun 1.3&lt;/a&gt; (October 2025) — &lt;code&gt;minimumReleaseAge&lt;/code&gt; via &lt;code&gt;bunfig.toml&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://deno.com/blog/v2.6#controlling-dependency-stability"&gt;Deno 2.6&lt;/a&gt; (December 2025) — &lt;code&gt;--minimum-dependency-age&lt;/code&gt; for &lt;code&gt;deno update&lt;/code&gt; and &lt;code&gt;deno outdated&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/astral-sh/uv/releases/tag/0.9.17"&gt;uv 0.9.17&lt;/a&gt; (December 2025) — added relative duration support to existing &lt;code&gt;--exclude-newer&lt;/code&gt;, plus per-package overrides via &lt;code&gt;exclude-newer-package&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://ichard26.github.io/blog/2026/01/whats-new-in-pip-26.0/"&gt;pip 26.0&lt;/a&gt; (January 2026) — &lt;code&gt;--uploaded-prior-to&lt;/code&gt; (absolute timestamps only; &lt;a href="https://github.com/pypa/pip/issues/13674"&gt;relative duration support requested&lt;/a&gt;, &lt;strong&gt;update&lt;/strong&gt;: and added &lt;a href="https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/"&gt;in pip 26.1 in April&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://socket.dev/blog/npm-introduces-minimumreleaseage-and-bulk-oidc-configuration"&gt;npm 11.10.0&lt;/a&gt; (February 2026) — &lt;code&gt;min-release-age&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;code&gt;pip&lt;/code&gt; currently only supports absolute rather than relative dates but Seth Larson &lt;a href="https://sethmlarson.dev/pip-relative-dependency-cooling-with-crontab"&gt;has a workaround for that&lt;/a&gt; using a scheduled cron to update the absolute date in the &lt;code&gt;pip.conf&lt;/code&gt; config file.


    &lt;p&gt;Tags: &lt;a href="https://simonwillison.net/tags/javascript"&gt;javascript&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/packaging"&gt;packaging&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/pip"&gt;pip&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/pypi"&gt;pypi&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/python"&gt;python&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/security"&gt;security&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/npm"&gt;npm&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/deno"&gt;deno&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/supply-chain"&gt;supply-chain&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/uv"&gt;uv&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/andrew-nesbitt"&gt;andrew-nesbitt&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/dependency-cooldowns"&gt;dependency-cooldowns&lt;/a&gt;&lt;/p&gt;



</summary><category term="javascript"/><category term="packaging"/><category term="pip"/><category term="pypi"/><category term="python"/><category term="security"/><category term="npm"/><category term="deno"/><category term="supply-chain"/><category term="uv"/><category term="andrew-nesbitt"/><category term="dependency-cooldowns"/></entry><entry><title>We should all be using dependency cooldowns</title><link href="https://simonwillison.net/2025/Nov/21/dependency-cooldowns/#atom-tag" rel="alternate"/><published>2025-11-21T17:27:33+00:00</published><updated>2025-11-21T17:27:33+00:00</updated><id>https://simonwillison.net/2025/Nov/21/dependency-cooldowns/#atom-tag</id><summary type="html">
    
&lt;p&gt;&lt;strong&gt;&lt;a href="https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns"&gt;We should all be using dependency cooldowns&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;
William Woodruff gives a name to a sensible strategy for managing dependencies while reducing the chances of a surprise supply chain attack: &lt;strong&gt;dependency cooldowns&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;Supply chain attacks happen when an attacker compromises a widely used open source package and publishes a new version with an exploit. These are usually spotted &lt;em&gt;very&lt;/em&gt; quickly, so an attack often only has a few hours of effective window before the problem is identified and the compromised package is pulled.&lt;/p&gt;
&lt;p&gt;You are most at risk if you're automatically applying upgrades the same day they are released.&lt;/p&gt;
&lt;p&gt;William says:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;I &lt;strong&gt;love&lt;/strong&gt; cooldowns for several reasons:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;They're empirically effective, per above. They won't stop &lt;em&gt;all&lt;/em&gt; attackers, but they &lt;em&gt;do&lt;/em&gt; stymie the majority of high-visibiity, mass-impact supply chain attacks that have become more common.&lt;/li&gt;
&lt;li&gt;They're &lt;em&gt;incredibly&lt;/em&gt; easy to implement. Moreover, they're &lt;strong&gt;literally free&lt;/strong&gt; to implement in most cases: most people can use &lt;a href="https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-"&gt;Dependabot's functionality&lt;/a&gt;, &lt;a href="https://docs.renovatebot.com/key-concepts/minimum-release-age/"&gt;Renovate's functionality&lt;/a&gt;, or the functionality build directly into their package manager&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;
&lt;p&gt;The one counter-argument to this is that sometimes an upgrade fixes a security vulnerability, and in those cases every hour of delay in upgrading as an hour when an attacker could exploit the new issue against your software.&lt;/p&gt;
&lt;p&gt;I see that as an argument for carefully monitoring the release notes of your dependencies, and paying special attention to security advisories. I'm a big fan of the &lt;a href="https://github.com/advisories"&gt;GitHub Advisory Database&lt;/a&gt; for that kind of information.

    &lt;p&gt;&lt;small&gt;&lt;/small&gt;Via &lt;a href="https://news.ycombinator.com/item?id=46005111"&gt;Hacker News&lt;/a&gt;&lt;/small&gt;&lt;/p&gt;


    &lt;p&gt;Tags: &lt;a href="https://simonwillison.net/tags/definitions"&gt;definitions&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/github"&gt;github&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/open-source"&gt;open-source&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/packaging"&gt;packaging&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/supply-chain"&gt;supply-chain&lt;/a&gt;, &lt;a href="https://simonwillison.net/tags/dependency-cooldowns"&gt;dependency-cooldowns&lt;/a&gt;&lt;/p&gt;



</summary><category term="definitions"/><category term="github"/><category term="open-source"/><category term="packaging"/><category term="supply-chain"/><category term="dependency-cooldowns"/></entry></feed>