From e34d933d1252031a8c8165689df1d4d3052f09f4 Mon Sep 17 00:00:00 2001 From: Chris K Date: Thu, 21 May 2026 14:37:04 -0700 Subject: [PATCH 1/2] Add poetry config & a note on registries. --- README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/README.md b/README.md index 8e246a5..070ea71 100644 --- a/README.md +++ b/README.md @@ -171,11 +171,35 @@ Hourly cronjob: 0 * * * * /usr/local/bin/pip-dependency-cooldown ~/.config/pip/pip.conf 3 2>&1 | logger -t pip-dependency-cooldown ``` +### poetry + +poetry added the [`solver.min-release-age`](https://python-poetry.org/docs/configuration/#solvermin-release-age) setting in 2.4.0. To set it globally, execute: + +``` +# Set a global minimum release age of 3 days +poetry config solver.min-release-age 3 +``` + +You can also set the following in your project's `pyproject.toml` or in `~/.config/pypoetry/config.toml`: + +``` +[solver] +min-release-age = 3 +``` + +Please note that if the registry you're using does not expose upload times for a release, `uv` and `pip` will fail closed and reject to download, while `poetry` fails open and does not filter out that release. See [#a-note-on-private-pypi-registries](the note on private PyPI registries). + ### conda The conda package manager does not have a native cooldown feature, but issue [#15759](https://github.com/conda/conda/issues/15759) proposed its implementation. +### A note on private PyPI registries + +Please note that if the registry you're using does not expose upload times for a release, `uv` and `pip` will fail closed and reject to download, while `poetry` fails open and does not filter out that release. + +Upload times are only supported by the JSON-version of the PyPI Simple API, so tools that only support the HTML format do not support upload times. For example, in Artifactory settings you will have to enable the PyPI Simple JSON API, which is only available as of their April (self-hosted) or May (SaaS) 2026 releases. + ## JavaScript Ecosystem ### npm From 1d5cbfec9f5f60a5cde05fabc297215bf7086c69 Mon Sep 17 00:00:00 2001 From: Chris K Date: Thu, 21 May 2026 14:39:53 -0700 Subject: [PATCH 2/2] Get the Artifactory release times right. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 070ea71..8bef447 100644 --- a/README.md +++ b/README.md @@ -198,7 +198,7 @@ issue [#15759](https://github.com/conda/conda/issues/15759) proposed its impleme Please note that if the registry you're using does not expose upload times for a release, `uv` and `pip` will fail closed and reject to download, while `poetry` fails open and does not filter out that release. -Upload times are only supported by the JSON-version of the PyPI Simple API, so tools that only support the HTML format do not support upload times. For example, in Artifactory settings you will have to enable the PyPI Simple JSON API, which is only available as of their April (self-hosted) or May (SaaS) 2026 releases. +Upload times are only supported by the JSON-version of the PyPI Simple API, so tools that only support the HTML format do not support upload times. For example, in Artifactory settings you will have to enable the PyPI Simple JSON API, which is only available as of their February 2026 (SaaS) or April 2026 (self-hosted) releases. ## JavaScript Ecosystem