enforce a 7-day uv package cooldown

[anmorgunov]

why

newly uploaded package artifacts are a high-risk supply-chain window. this change hardens uv resolution and ci install behavior so fresh registry artifacts are avoided, and the repo requires a new enough uv to understand the cooldown syntax.

for dependabot, the goal here is routine maintenance triage, not a fake security/non-security split that dependabot.yml cannot express on its own.

what changed

added repo-level tool.uv policy to exclude artifacts uploaded within the last 7 days and require uv >= 0.9.17, which is the release that added relative durations for exclude-newer.

updated github actions installs to uv sync --locked so ci uses the committed lockfile instead of silently re-resolving.

added .github/dependabot.yml with weekly checks, a matching 7-day cooldown for uv updates, and scope/ci-cd labels for routine dependabot prs.

updated the committed uv.lock metadata to record the relative exclusion window.

risk

low risk. this changes dependency resolution and update automation, not runtime application logic.

review focus is whether the 7-day cooldown is the right operational tradeoff and whether any workflow still relies on unlocked dependency resolution.

verification

ran uv lock.

ran uv lock --check.

ran uv sync --locked.

ran uv run pytest -q with 1924 passed in 1.12s before the follow-up, 1924 passed in 0.84s after the dependabot changes, and 1924 passed in 0.90s after bumping the uv minimum version.

Greptile Summary

This PR hardens the repository's supply-chain posture by enforcing a 7-day artifact cooldown via [tool.uv] in pyproject.toml, switching both CI workflows from uv sync to uv sync --locked, and adding a dependabot.yml with matching cooldown and weekly schedules.

• pyproject.toml: Adds exclude-newer = "7 days" to filter packages uploaded in the last 7 days during resolution, guarded by required-version = ">=0.9.17" which is the version that introduced relative exclusion windows.
• Workflows (tests.yml, typing.yml): Switch to uv sync --locked so CI installs exactly what is in the committed lockfile instead of silently re-resolving.
• dependabot.yml: Introduces weekly dependency checks with a 7-day cooldown for the uv ecosystem; github-actions intentionally omits a cooldown per the PR's stated scope.

Confidence Score: 5/5

Safe to merge — changes are confined to tooling configuration and do not touch runtime application logic.

The required-version = ">=0.9.17" correctly gates the relative exclude-newer format, the lockfile metadata is consistent with the pyproject.toml policy, and uv sync --locked in CI is the right call now that a committed lockfile is the source of truth. No application code is affected.

No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Adds [tool.uv] with exclude-newer = "7 days" and required-version = ">=0.9.17" — the minimum version that supports relative exclusion windows. Clean.
.github/dependabot.yml	New file with valid cooldown configuration for the uv ecosystem (7 days) and weekly github-actions updates. The cooldown field is supported as of July 2025.
.github/workflows/tests.yml	uv sync changed to uv sync --locked; cache key still hashes only pyproject.toml (pre-existing gap, already flagged in previous review).
.github/workflows/typing.yml	Same --locked change as tests.yml; same pre-existing cache key gap applies.
uv.lock	Adds [options] block with exclude-newer-span = "P7D" and the zero-epoch timestamp stub for backwards compatibility. Consistent with pyproject.toml policy.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Developer / Dependabot] --> B{Run uv lock?}
    B -->|Yes| C[uv checks required-version >= 0.9.17]
    C --> D{Version OK?}
    D -->|No| E[Hard fail: version mismatch error]
    D -->|Yes| F[Apply exclude-newer = 7 days filter]
    F --> G{Package uploaded < 7 days ago?}
    G -->|Yes| H[Excluded from resolution]
    G -->|No| I[Included in lockfile]
    I --> J[uv.lock updated with exclude-newer-span = P7D]
    B -->|No, CI uv sync locked| K[Read committed uv.lock]
    K --> L[Install exact pinned versions]
    L --> M[Tests / Type checks run]
    N[Dependabot weekly check] --> O{Package age >= 7 days cooldown?}
    O -->|No| P[Skip PR]
    O -->|Yes| Q[Open update PR with scope/ci-cd label]
    Q --> B

Loading

_{Reviews (4): Last reviewed commit: "require uv 0.9.17 for relative cooldowns" | Re-trigger Greptile}

[coderabbitai]

Warning

Rate limit exceeded

@anmorgunov has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 18 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 288dedc4-0d27-4c29-9c28-24f541ae0282

📥 Commits

Reviewing files that changed from the base of the PR and between f2f2cbc and 01d47b1.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/tests.yml
• .github/workflows/typing.yml
• pyproject.toml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request configures uv to delay the use of newly uploaded artifacts by 7 days, enhancing security against malicious fresh releases. The feedback highlights the need to specify a minimum uv version (0.5.0) to support relative duration strings and points out that the necessary GitHub Actions workflow updates to enforce --locked syncs are missing from the current changes.