Problem
pyproject.toml declares:
```toml
[tool.uv]
Exclude packages uploaded to PyPI more recently than ~30 days ago.
This gives the community time to catch supply-chain issues before they land here.
Bump this date when you intentionally need a newer release.
exclude-newer = "7 days"
```
This is intended as a 7-day supply-chain quarantine: deny the resolver from pulling packages uploaded in the last 7 days, so newly-compromised or malicious releases (think the xz incident, but on PyPI) have a window to be detected before reaching CoDA.
Empirically, the quarantine is a no-op. While preparing #32 (the GitPython / python-multipart CVE bumps), uv pip compile happily resolved to packages uploaded ~36 hours earlier:
```
$ grep -E "^(gitpython|python-multipart)" /tmp/requirements.test.txt
gitpython==3.1.49 # uploaded 2026-05-06 21:58 UTC
python-multipart==0.0.27 # uploaded 2026-05-06 21:56 UTC
```
If the cooldown were enforced, both should have been excluded.
Root cause (suspected)
The value "7 days" doesn't match uv's accepted format for exclude-newer. uv expects either:
- An RFC 3339 timestamp: `"2026-05-01T00:00:00Z"`
- A relative offset in compact form: `"7d"`, `"2w"`, `"1mo"`
The string `"7 days"` (with a space, plural noun) is most likely silently ignored, falling back to no cutoff. (Worth confirming against current uv source; the failure mode is silent acceptance, not a resolve error.)
Why this matters
The comment frames the quarantine as a deliberate defense against community-undetected supply-chain compromises. With it broken:
- The App container — which holds rotated workspace PATs and access to all repos under `~/projects/` — is exposed to any newly-published vulnerable or malicious release at deploy time.
- We have no resolve-time backstop if Dependabot's cooldown (`.github/dependabot.yml`'s `cooldown.default-days: 7`) is the only quarantine in the loop.
- The two are meant to compose: Dependabot suppresses bump PRs; `exclude-newer` suppresses resolves on direct `uv pip compile` runs (e.g., a maintainer regenerating the lockfile locally).
Fix
Replace the value with one of:
```toml
exclude-newer = "7d"
```
or, for stronger reproducibility, an absolute date that's bumped per release:
```toml
exclude-newer = "2026-04-30T00:00:00Z"
```
The comment also says "~30 days ago" but the value is "7 days" — the inline comment is stale relative to the value, which adds to the confusion. Reconcile both.
Verification
After the fix, regenerate the lockfile against a recently-published package and confirm uv refuses to resolve to it:
```
$ uv pip compile pyproject.toml -o /tmp/test.txt
$ grep gitpython /tmp/test.txt
gitpython==3.1.47 # quarantined to the pre-cutoff version
```
(Once #32 lands, this verification target will move forward in time.)
Out of scope here
This issue and its description were written by Isaac.
Problem
pyproject.tomldeclares:```toml
[tool.uv]
Exclude packages uploaded to PyPI more recently than ~30 days ago.
This gives the community time to catch supply-chain issues before they land here.
Bump this date when you intentionally need a newer release.
exclude-newer = "7 days"
```
This is intended as a 7-day supply-chain quarantine: deny the resolver from pulling packages uploaded in the last 7 days, so newly-compromised or malicious releases (think the xz incident, but on PyPI) have a window to be detected before reaching CoDA.
Empirically, the quarantine is a no-op. While preparing #32 (the GitPython / python-multipart CVE bumps),
uv pip compilehappily resolved to packages uploaded ~36 hours earlier:```
$ grep -E "^(gitpython|python-multipart)" /tmp/requirements.test.txt
gitpython==3.1.49 # uploaded 2026-05-06 21:58 UTC
python-multipart==0.0.27 # uploaded 2026-05-06 21:56 UTC
```
If the cooldown were enforced, both should have been excluded.
Root cause (suspected)
The value
"7 days"doesn't matchuv's accepted format forexclude-newer. uv expects either:The string `"7 days"` (with a space, plural noun) is most likely silently ignored, falling back to no cutoff. (Worth confirming against current uv source; the failure mode is silent acceptance, not a resolve error.)
Why this matters
The comment frames the quarantine as a deliberate defense against community-undetected supply-chain compromises. With it broken:
Fix
Replace the value with one of:
```toml
exclude-newer = "7d"
```
or, for stronger reproducibility, an absolute date that's bumped per release:
```toml
exclude-newer = "2026-04-30T00:00:00Z"
```
The comment also says "~30 days ago" but the value is "7 days" — the inline comment is stale relative to the value, which adds to the confusion. Reconcile both.
Verification
After the fix, regenerate the lockfile against a recently-published package and confirm uv refuses to resolve to it:
```
$ uv pip compile pyproject.toml -o /tmp/test.txt
$ grep gitpython /tmp/test.txt
gitpython==3.1.47 # quarantined to the pre-cutoff version
```
(Once #32 lands, this verification target will move forward in time.)
Out of scope here
This issue and its description were written by Isaac.