Skip to main content

Set a minimum release age on local package managers to defend against zero-day supply chain attacks.

Project description

gestate

Set a minimum release age on local package managers so installs ignore versions younger than N days. Most malicious packages are caught and yanked within days of publishing; refusing fresh versions blocks the bulk of supply-chain attacks.

Run

uvx gestate                  # interactive
uvx gestate set 3            # 3-day minimum, installed tools only
uvx gestate set 3 --all      # also pre-configure file-based tools (bun, deno, uv)
uvx gestate revert           # remove gestate's settings
uvx gestate explain bun      # show how one tool's setting is stored

Interactive mode always shows a plan and asks for explicit confirmation before touching anything. The subcommands skip the confirm — meant for scripts, not your daily shell. Running with no subcommand outside a TTY exits with an error.

Plain text output is used when stdout isn't a terminal (no Rich tables/colors).

What it sets

Tool Where Key (unit)
npm ~/.npmrc min-release-age (days)
pnpm global pnpm config minimumReleaseAge (minutes)
yarn ~/.yarnrc.yml (4.10+) npmMinimalAgeGate (minutes)
bun ~/.bunfig.toml [install] minimumReleaseAge (seconds)
deno shell profile alias deno='command deno --minimum-dependency-age=P<N>D'
pip user pip config global.uploaded-prior-to (P<N>D)
uv ~/.config/uv/uv.toml exclude-newer ("N days")

gestate explain <tool> prints that tool's current value and the exact mechanism set / revert use.

Scope:

  • default — only configure installed tools
  • --all — also pre-write config files for bun, deno, uv even if they aren't installed yet

Revert

uvx gestate revert removes everything gestate set:

  • CLI tools — config delete / config unset
  • bun / uv — remove the key; delete the file if it was the only key
  • deno — remove our alias line; leave foreign alias deno= lines alone

Backups (.bak) are written next to any edited shell-profile or TOML file.

Allowlists

If you publish packages of your own and want them exempt from the delay, see docs/allowlists.md. Most managers support an exclude list; npm and pip don't yet.

Caveats

  • yarn: 4.10+ only. Older yarn is detected and skipped.
  • deno: no global config exists; the shell alias only covers interactive shells. For CI, pass --minimum-dependency-age=P<N>D to deno install/deno update, or commit a project deno.json with "minimumDependencyAge": "P<N>D".
  • npm exclude: tracked in npm/cli#8994.
  • pip exclude: none — global.uploaded-prior-to is global only.

For PR-creation guards (Dependabot, Renovate) and adjacent layers, see docs/complementary.md.

Development

uv sync
uv run pytest

Requires Python 3.11+, macOS or Linux.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gestate-1.0.1.tar.gz (38.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gestate-1.0.1-py3-none-any.whl (12.6 kB view details)

Uploaded Python 3

File details

Details for the file gestate-1.0.1.tar.gz.

File metadata

  • Download URL: gestate-1.0.1.tar.gz
  • Upload date:
  • Size: 38.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for gestate-1.0.1.tar.gz
Algorithm Hash digest
SHA256 887cd6713e7c7b06a6afd3009b2f4a312843a4668361c0e03202bcdaf35f355b
MD5 275dfe35ea67f66337771b0852d11d85
BLAKE2b-256 ab13f3b5f608604e7e15ac879f4c09b17ff97f993af5e5977a49bdc7b5d70f27

See more details on using hashes here.

Provenance

The following attestation bundles were made for gestate-1.0.1.tar.gz:

Publisher: release.yml on lincolnloop/gestate

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file gestate-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: gestate-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 12.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for gestate-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 67a3c5c5cd353c412d112595f3a51af2545758f65b1c8865489e7b6ee42b477d
MD5 9ec639ca783984ec8d6a937f1c197e16
BLAKE2b-256 6c9bb41e18914b38950065e0c5d4ebe34c036acb16403d5feb7ccfcacc822e6b

See more details on using hashes here.

Provenance

The following attestation bundles were made for gestate-1.0.1-py3-none-any.whl:

Publisher: release.yml on lincolnloop/gestate

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page