build: add supply chain hardening via uv exclude-newer and pip uploaded-prior-to#3258
Conversation
- Add uv.toml with exclude-newer = "24 hours" so all uv pip installs skip packages published within the last day - Add Dependabot cooldown (default-days: 1) for github-actions and pip - Upgrade pip before each pip install step and add --uploaded-prior-to=P1D (pip 26.1 relative duration) to all direct pip install commands in CI Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
Bot
added
topic:CI
integration:chroma
integration:elasticsearch
integration:opensearch
integration:unstructured-fileconverter
integration:cohere
integration:jina
integration:qdrant
integration:pinecone
integration:amazon-bedrock
integration:ollama
integration:llama_cpp
integration:weaviate
integration:astra
integration:amazon-sagemaker
integration:supabase
integration:pgvector
integration:deepeval
integration:fastembed
integration:ragas
integration:mongodb-atlas
integration:mistral
integration:optimum
integration:nvidia
integration:anthropic
integration:langfuse
integration:snowflake
integration:azure-ai-search
integration:weave
Coverage report (kreuzberg)
This PR does not seem to contain any modification to coverable code. |
Coverage report (mongodb_atlas)
This PR does not seem to contain any modification to coverable code. |
Coverage report (meta_llama)
This PR does not seem to contain any modification to coverable code. |
Coverage report (togetherai)
This PR does not seem to contain any modification to coverable code. |
Coverage report (stackit)
This PR does not seem to contain any modification to coverable code. |
Coverage report (paddleocr)
This PR does not seem to contain any modification to coverable code. |
Coverage report (snowflake)
This PR does not seem to contain any modification to coverable code. |
Coverage report (qdrant)
This PR does not seem to contain any modification to coverable code. |
Coverage report (deepeval)
This PR does not seem to contain any modification to coverable code. |
Coverage report (libreoffice)
This PR does not seem to contain any modification to coverable code. |
Coverage report (valkey)
This PR does not seem to contain any modification to coverable code. |
Coverage report (mcp)
This PR does not seem to contain any modification to coverable code. |
Coverage report (google_genai)
This PR does not seem to contain any modification to coverable code. |
Coverage report (supabase)
This PR does not seem to contain any modification to coverable code. |
Coverage report (elasticsearch)
This PR does not seem to contain any modification to coverable code. |
Coverage report (opensearch)
This PR does not seem to contain any modification to coverable code. |
Coverage report (pgvector)
This PR does not seem to contain any modification to coverable code. |
Coverage report (oracle)
This PR does not seem to contain any modification to coverable code. |
Coverage report (ollama)
This PR does not seem to contain any modification to coverable code. |
Coverage report (optimum)
This PR does not seem to contain any modification to coverable code. |
Coverage report (hanlp)
This PR does not seem to contain any modification to coverable code. |
Coverage report (docling)
This PR does not seem to contain any modification to coverable code. |
Coverage report (ragas)
This PR does not seem to contain any modification to coverable code. |
Coverage report (chonkie)
This PR does not seem to contain any modification to coverable code. |
Coverage report (llama_cpp)
This PR does not seem to contain any modification to coverable code. |
Coverage report (unstructured)
This PR does not seem to contain any modification to coverable code. |
2 participants
Related Issues
As recent motivation for this PR, there has been a compromised PyPI release of the mistralai package. Only version 2.4.6 was affected. It was uploaded on May 12, 2026 at 00:05 UTC and has been removed on May 12, 2026 at 03:05 UTC according to Mistral AI. Details here.
Given the short time window, uv exclude-newer and pip uploaded-prior-to seem to be a reasonable supply-chain security improvement.
Proposed Changes:
How did you test it?
Ran
uv pip install mistralailocally, which seems to also pick up the root uv.toml.Notes for the reviewer
I am unsure if the changes to root uv.toml are enough or if the setting should be in pyproject.toml of all individual integrations. My understanding is that the uv.toml is enough because this will protect our CI.
I would merge despite failing tests once approved.
Checklist
fix:,feat:,build:,chore:,ci:,docs:,style:,refactor:,perf:,test:.