Upgrade minimum uv version to 0.9.17 and add supply-chain defense#32
Merged
Conversation
Use uv's exclude-newer = "24 hours" as a lightweight supply-chain defense against compromised packages published in the last day. Bumps the required uv version to >=0.9.17 (which introduced relative-duration support) in the template, root project, README, and CI matrix; drops the sed shim that downgraded Python 3.14 -> 3.13 for the now-removed 0.7.3 matrix entry.
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The new
exclude-newer = "24 hours"default is quite opinionated; consider exposing it as a template variable inproject_name/pyproject.toml.jinjaso consumers can easily opt out or adjust the window without editing generated files. - You now have the
uvminimum version defined in three places (rootpyproject.toml, templatepyproject.toml.jinja, and README); consider centralizing this as a single source of truth for easier bumps (e.g., using a Copier variable rendered into both the template and README).
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new `exclude-newer = "24 hours"` default is quite opinionated; consider exposing it as a template variable in `project_name/pyproject.toml.jinja` so consumers can easily opt out or adjust the window without editing generated files.
- You now have the `uv` minimum version defined in three places (root `pyproject.toml`, template `pyproject.toml.jinja`, and README); consider centralizing this as a single source of truth for easier bumps (e.g., using a Copier variable rendered into both the template and README).Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Regenerated with uv 0.9.17; lockfile now records the resolution-time exclude-newer cutoff in [options] and pins package versions to those that were at least 24h old at lock time.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR upgrades the minimum required
uvversion from 0.7.3 to 0.9.17 across the project and adds a supply-chain defense mechanism by excluding package versions released within the last 24 hours.Key Changes
Updated minimum uv version requirement to 0.9.17 in:
pyproject.tomlproject_name/pyproject.toml.jinjaREADME.md.github/workflows/uv-tests.yml(test matrix)Added supply-chain defense configuration via
exclude-newer = "24 hours"in:pyproject.tomlproject_name/pyproject.toml.jinjaSimplified CI workflow by removing the Python version compatibility workaround for older uv versions (the
sedcommand that was only needed for uv 0.7.3)Implementation Details
The
exclude-newersetting is a uv feature that prevents dependency resolution from considering package versions released within the specified time window, providing protection against supply-chain attacks while maintaining reasonable package freshness. This is now enforced as a best practice in the template.https://claude.ai/code/session_01GvHcqWhhUrpn8qd3JuHxnx