With recent Python supply chain attacks (Trivy/LiteLLM), it’s worth mentioning uv’s `exclude-newer = "x days"` config.

It forces uv to only installs packages published more than x days ago, reducing risks since problematic packages should be yanked by then.

https://docs.astral.sh/uv/reference/settings/#exclude-newer