Set a minimum release age on local package managers to defend against zero-day supply chain attacks.
Project description
gestate
Set a minimum release age on local package managers so installs ignore versions younger than N days. Most malicious packages are caught and yanked within days of publishing; refusing fresh versions blocks the bulk of supply-chain attacks.
Run
uvx gestate # interactive
uvx gestate set 3 # 3-day minimum, installed tools only
uvx gestate set 3 --all # also pre-configure file-based tools (bun, deno, uv)
uvx gestate revert # remove gestate's settings
uvx gestate explain bun # show how one tool's setting is stored
Interactive mode always shows a plan and asks for explicit confirmation before touching anything. The subcommands skip the confirm — meant for scripts, not your daily shell. Running with no subcommand outside a TTY exits with an error.
Plain text output is used when stdout isn't a terminal (no Rich tables/colors).
What it sets
| Tool | Where | Key (unit) |
|---|---|---|
| npm | ~/.npmrc |
min-release-age (days) |
| pnpm | global pnpm config | minimumReleaseAge (minutes) |
| yarn | ~/.yarnrc.yml (4.10+) |
npmMinimalAgeGate (minutes) |
| bun | ~/.bunfig.toml |
[install] minimumReleaseAge (seconds) |
| deno | shell profile | alias deno='command deno --minimum-dependency-age=P<N>D' |
| pip | user pip config | global.uploaded-prior-to (P<N>D) |
| uv | ~/.config/uv/uv.toml |
exclude-newer ("N days") |
gestate explain <tool> prints that tool's current value and the exact mechanism set / revert use.
Scope:
- default — only configure installed tools
--all— also pre-write config files forbun,deno,uveven if they aren't installed yet
Revert
uvx gestate revert removes everything gestate set:
- CLI tools —
config delete/config unset bun/uv— remove the key; delete the file if it was the only keydeno— remove our alias line; leave foreignalias deno=lines alone
Backups (.bak) are written next to any edited shell-profile or TOML file.
Allowlists
If you publish packages of your own and want them exempt from the delay, see docs/allowlists.md. Most managers support an exclude list; npm and pip don't yet.
Caveats
- yarn: 4.10+ only. Older yarn is detected and skipped.
- deno: no global config exists; the shell alias only covers interactive shells. For CI, pass
--minimum-dependency-age=P<N>Dtodeno install/deno update, or commit a projectdeno.jsonwith"minimumDependencyAge": "P<N>D". - npm exclude: tracked in npm/cli#8994.
- pip exclude: none —
global.uploaded-prior-tois global only.
For PR-creation guards (Dependabot, Renovate) and adjacent layers, see docs/complementary.md.
Development
uv sync
uv run pytest
Requires Python 3.11+, macOS or Linux.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gestate-1.0.0.tar.gz.
File metadata
- Download URL: gestate-1.0.0.tar.gz
- Upload date:
- Size: 38.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4321a8b75093183175ed134ff770d40e0915967276b09ff9a16e737728b6cbc6
|
|
| MD5 |
0962b93b99659bd348ee167d0a9879c8
|
|
| BLAKE2b-256 |
7f8657467820bf6f04ba9a4e08562f3c970fefe929049970ba294ed3877e5a31
|
Provenance
The following attestation bundles were made for gestate-1.0.0.tar.gz:
Publisher:
release.yml on lincolnloop/gestate
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gestate-1.0.0.tar.gz -
Subject digest:
4321a8b75093183175ed134ff770d40e0915967276b09ff9a16e737728b6cbc6 - Sigstore transparency entry: 1650239839
- Sigstore integration time:
-
Permalink:
lincolnloop/gestate@02b28b886e56237e5cc120f4edef933cc066bcd9 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/lincolnloop
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@02b28b886e56237e5cc120f4edef933cc066bcd9 -
Trigger Event:
push
-
Statement type:
File details
Details for the file gestate-1.0.0-py3-none-any.whl.
File metadata
- Download URL: gestate-1.0.0-py3-none-any.whl
- Upload date:
- Size: 12.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
897b1182cf8adb5a1fd0fca21b243c8a9053142b17f7fffa75c79aab9767b993
|
|
| MD5 |
ba5ed86707ee666f6d1197514a6e690d
|
|
| BLAKE2b-256 |
6ba5302f566d669df62192fb3269318717499f6fc8c7c649ae972dda191f6b32
|
Provenance
The following attestation bundles were made for gestate-1.0.0-py3-none-any.whl:
Publisher:
release.yml on lincolnloop/gestate
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gestate-1.0.0-py3-none-any.whl -
Subject digest:
897b1182cf8adb5a1fd0fca21b243c8a9053142b17f7fffa75c79aab9767b993 - Sigstore transparency entry: 1650240244
- Sigstore integration time:
-
Permalink:
lincolnloop/gestate@02b28b886e56237e5cc120f4edef933cc066bcd9 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/lincolnloop
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@02b28b886e56237e5cc120f4edef933cc066bcd9 -
Trigger Event:
push
-
Statement type: