Skip to main content

Set a minimum release age on local package managers to defend against zero-day supply chain attacks.

Project description

gestate

Set a minimum release age on local package managers so installs ignore versions younger than N days. Most malicious packages are caught and yanked within days of publishing; refusing fresh versions blocks the bulk of supply-chain attacks.

Run

uvx gestate                  # interactive
uvx gestate set 3            # 3-day minimum, installed tools only
uvx gestate set 3 --all      # also pre-configure file-based tools (bun, deno, uv)
uvx gestate revert           # remove gestate's settings
uvx gestate explain bun      # show how one tool's setting is stored

Interactive mode always shows a plan and asks for explicit confirmation before touching anything. The subcommands skip the confirm — meant for scripts, not your daily shell. Running with no subcommand outside a TTY exits with an error.

Plain text output is used when stdout isn't a terminal (no Rich tables/colors).

What it sets

Tool Where Key (unit)
npm ~/.npmrc min-release-age (days)
pnpm global pnpm config minimumReleaseAge (minutes)
yarn ~/.yarnrc.yml (4.10+) npmMinimalAgeGate (minutes)
bun ~/.bunfig.toml [install] minimumReleaseAge (seconds)
deno shell profile alias deno='command deno --minimum-dependency-age=P<N>D'
pip user pip config global.uploaded-prior-to (P<N>D)
uv ~/.config/uv/uv.toml exclude-newer ("N days")

gestate explain <tool> prints that tool's current value and the exact mechanism set / revert use.

Scope:

  • default — only configure installed tools
  • --all — also pre-write config files for bun, deno, uv even if they aren't installed yet

Revert

uvx gestate revert removes everything gestate set:

  • CLI tools — config delete / config unset
  • bun / uv — remove the key; delete the file if it was the only key
  • deno — remove our alias line; leave foreign alias deno= lines alone

Backups (.bak) are written next to any edited shell-profile or TOML file.

Allowlists

If you publish packages of your own and want them exempt from the delay, see docs/allowlists.md. Most managers support an exclude list; npm and pip don't yet.

Caveats

  • yarn: 4.10+ only. Older yarn is detected and skipped.
  • deno: no global config exists; the shell alias only covers interactive shells. For CI, pass --minimum-dependency-age=P<N>D to deno install/deno update, or commit a project deno.json with "minimumDependencyAge": "P<N>D".
  • npm exclude: tracked in npm/cli#8994.
  • pip exclude: none — global.uploaded-prior-to is global only.

For PR-creation guards (Dependabot, Renovate) and adjacent layers, see docs/complementary.md.

Development

uv sync
uv run pytest

Requires Python 3.11+, macOS or Linux.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gestate-1.0.0.tar.gz (38.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gestate-1.0.0-py3-none-any.whl (12.4 kB view details)

Uploaded Python 3

File details

Details for the file gestate-1.0.0.tar.gz.

File metadata

  • Download URL: gestate-1.0.0.tar.gz
  • Upload date:
  • Size: 38.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for gestate-1.0.0.tar.gz
Algorithm Hash digest
SHA256 4321a8b75093183175ed134ff770d40e0915967276b09ff9a16e737728b6cbc6
MD5 0962b93b99659bd348ee167d0a9879c8
BLAKE2b-256 7f8657467820bf6f04ba9a4e08562f3c970fefe929049970ba294ed3877e5a31

See more details on using hashes here.

Provenance

The following attestation bundles were made for gestate-1.0.0.tar.gz:

Publisher: release.yml on lincolnloop/gestate

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file gestate-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: gestate-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 12.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for gestate-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 897b1182cf8adb5a1fd0fca21b243c8a9053142b17f7fffa75c79aab9767b993
MD5 ba5ed86707ee666f6d1197514a6e690d
BLAKE2b-256 6ba5302f566d669df62192fb3269318717499f6fc8c7c649ae972dda191f6b32

See more details on using hashes here.

Provenance

The following attestation bundles were made for gestate-1.0.0-py3-none-any.whl:

Publisher: release.yml on lincolnloop/gestate

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page