exclude-newer: overrides for private registries

[acdha]

Summary

--exclude-newer is a very useful feature for implementing dependency cooldown policies but it requires package registries to support the JSON view with the PEP 700 upload-time attribute. This currently prevents usage on projects which use Azure or GitLab to host any dependencies.

It would be useful if there was a way to disable the exclude-newer mechanism for a single registry or package so it could be used for PyPI packages, which are usually the highest concern for the kind of attacks which a minimum age policy is designed to mitigate, while still allowing private registries to be used.

Example

Using the documentation example for a custom index, one option would be something like this:

[tool.uv]
exclude-newer = "…"
skip-exclude-newer-for-indexes = ["pytorch"]

[[tool.uv.index]]
name = "pytorch"
url = "https://download.pytorch.org/whl/cpu"

… or perhaps to avoid that somewhat ugly name:

[tool.uv]
exclude-newer = "…"

[[tool.uv.index]]
name = "pytorch"
url = "https://download.pytorch.org/whl/cpu"
skip-exclude-newer-check = true

… or perhaps this would be best as a per-package override requiring you to manually opt-in for each package:

[tool.uv]
exclude-newer = "…"
exclude-newer-package = { pytorch = "ALLOW_ANY" } # This magic value can't conflict with an existing date
# or, to make it more explicit that you only want to trust one source:
exclude-newer-package = { pytorch = { allow-latest-from-registry = "pytorch" } }

[zanieb]

I think it makes more sense for exclude-newer to be attachable to a tool.uv.index definition rather than define a list of exclusions? wdyt?

[acdha]

I think it makes more sense for exclude-newer to be attachable to a tool.uv.index definition rather than define a list of exclusions? wdyt?

That’s my inclination as well - I liked the middle proposed syntax the most when I was thinking about this but wanted to at least think about alternatives since every packaging discussion I have ever been in seems to involve someone bringing up a use-case wildly outside of what I do 😁

[zanieb]

I'd also encourage you to let these private registries know you want this basic, standardized functionality :D

[acdha]

I'd also encourage you to let these private registries know you want this basic, standardized functionality :D

For completeness, I opened this ticket for GitLab for that exact reason and will be escalating with our sales rep: https://gitlab.com/gitlab-org/gitlab/-/issues/581770

[javiertejero]

we observed the same problem with AWS CodeArtifact, which does not support JSON API - it would be great to have this uv setting to skip validation for some additional private indexes

UPDATE: I opened a ticket with AWS support and they will consider implementing JSON API but unfortunately there is not ETA yet

[sumkincpp]

As of #16854 specific packages can be excluded with following syntax -

[tool.uv]
exclude-newer-package = { pytorch = false } 

**corrected

It's of course really usefull for packages stored in private registries, which should not normally require version/dependency cooldown.

Good question if it really works with Gitlab, gonna test it with the next uv release!

[fellhorn]

As of #16854 specific packages can be excluded with following syntax -

[tool.uv]
exclude-newer-package = { pytorch = true }

Nit: One needs to set the value to false instead of true to disable exclude-newer for a specific package:

[tool.uv]
exclude-newer-package = { pytorch = false } 

From what I can tell with GAR it works like a charm for registries that do not provide the upload-time metadata.

[acdha]

I just tested #16854 with uv 0.9.25 and it's working great. Thank you!

In case this helps anyone else, in my global configuration, I had an exclusion for two tools which Homebrew manages so there's never the case where a tool like prek thinks the latest version of uv doesn't exist because it was just released:

exclude-newer = "P8D"
exclude-newer-package = { uv = false, ruff = false }

In projects, I have something like this:

[tool.uv]
exclude-newer = "P8D"
exclude-newer-package = { internal-shared-library-hosted-on-gitlab = false }

The resulting lock file shows that uv is correctly combining the global and per-project settings to avoid locking incompatible versions.

[randommm]

As of #16854 specific packages can be excluded with following syntax -

[tool.uv]
exclude-newer-package = { pytorch = false } 

@sumkincpp the name of the package is actually torch (not pytorch). Might sound pedantic, but want to avoid other people scratching their heads over why it's not working.

[robbertvanginkel]

I think it makes more sense for exclude-newer to be attachable to a tool.uv.index definition rather than define a list of exclusions? wdyt?

This would still be valuable. We host packages on an internal gcp artifact registry and they unfortunately don't implement the timestamps: https://issuetracker.google.com/issues/485497280.

Being able to exclude-newer per index would solve both problems for us: having different policies on public/internal packages as well as working around Google's lacking funcitonality.