Skip to content

Instantly share code, notes, and snippets.

@barseghyanartur

barseghyanartur/avoid_risky_python_updates_the_7_day_safety_buffer.rst

Last active May 7, 2026 10:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save barseghyanartur/04733e7a00f94c7cc505f145154cd48a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save barseghyanartur/04733e7a00f94c7cc505f145154cd48a to your computer and use it in GitHub Desktop.
Download ZIP
blog: Set
Raw
avoid_risky_python_updates_the_7_day_safety_buffer.rst

Avoid risky Python updates: The 7-day safety buffer

Date: 2026-05-03 22:43
category:Tech
tags:python, security
summary:Recent attacks on LiteLLM and PyTorch Lightning show how dangerous "bleeding edge" updates can be for your security. Use a seven-day time gate to ensure your packages are vetted by the community before they touch your code.

The problem

In the last two months, the Python community has seen serious supply chain attacks.

In March, LiteLLM was compromised to steal credentials. Last week, PyTorch Lightning suffered a similar attack where malicious versions tried to steal cloud secrets and SSH keys.

In both cases, the bad code was found and removed quickly. However, anyone who updated their packages during those few hours was at risk.

The (imperfect) solution

To protect yourself, add these lines to your ~/.bashrc or ~/.zshrc file. This tells your tools to ignore any package released in the last week.

# uv: Ignore any package versions released in the last 7 days
export UV_EXCLUDE_NEWER="7 days"

# pip: Ignore any package versions uploaded in the last 7 days
export PIP_UPLOADED_PRIOR_TO=P7D

For per-project constains, update pyproject.toml in the following way:

[tool.uv]
exclude-newer = "1 week"
exclude-newer-package = { "safezip" = "0 days" }

In the example below, the safezip package is excluded from overal project exclude-newer containts of 1 week.

Why this improves security

The "Cooling Off" Period
Most malicious packages are caught by security experts within 48 hours. A seven-day delay ensures that any code you download has been checked by the public for a full week.
Stopping "Fast" Attacks
The PyTorch Lightning attack lasted less than one hour. A one-week buffer makes these short-lived, poisoned releases invisible to your build system.
Reliable Defence
This prevents your update commands from accidentally grabbing a "bleeding edge" version that might be compromised.

By waiting seven days, you lose nothing important but gain a massive increase in security.

The perfect solution that does not yet exist

If only PyPI (and other registries, such as NPM) would start doing preventive scanning of uploaded packages, and only offer scanned/secure packages for download...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment