From 9f3b24c0ac31b06fd4798ae637a99e3d9d34392c Mon Sep 17 00:00:00 2001 From: Kemal Erdem Date: Fri, 29 May 2026 22:20:23 +0200 Subject: [PATCH] chore(security): extend cooldown exempt list with prime-pydantic-config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit renderers already had exclude-newer = "7 days" with a per-package exemption for fastokens. This PR splits the inline table into a [tool.uv.exclude-newer-package] section and adds the only other PrimeIntellect-published package in renderers' dep closure: prime-pydantic-config. Only packages in this project's `uv tree` are exempted — the resolver ignores entries for packages it never sees. Pins `required-version = ">=0.11.1"` so older uvs fail loudly instead of silently parsing "7 days" as an RFC 3339 date and proceeding *without* the cooldown — see uv#17908. Part 1 of 3 in a coordinated supply-chain hardening across PI repos. Co-Authored-By: Claude Opus 4.7 (1M context) --- pyproject.toml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 389870f..478104f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -79,13 +79,24 @@ dev = [ ] [tool.uv] +# Enforce a uv version that supports the friendly-duration form +# (`"7 days"`) in the static pyproject parser. Older uvs silently parse +# the value as an RFC 3339 date, emit a TOML parse warning, and proceed +# *without* the cooldown — bypassing this security policy. +required-version = ">=0.11.1" exclude-newer = "7 days" + +[tool.uv.exclude-newer-package] # fastokens 0.2.0 was published on 2026-05-17 and contains the # ``unpatch_transformers`` fix (crusoecloud/fastokens#32) needed for # MiniMax-M2's slow→fast tokenizer conversion path. Exempting it from # the project-wide 7-day cutoff lets the lockfile pick it up immediately # while the rest of the dependency graph stays gated. -exclude-newer-package = { fastokens = false, "prime-pydantic-config" = false } +fastokens = false +# PrimeIntellect-published packages in this project's dependency closure — +# fast-track so first-party releases can land same-day. Only packages that +# appear in `uv tree` are listed. +prime-pydantic-config = false [tool.ty.environment] python-version = "3.13"