feat: deferred updates

[marabb01]

Adds installer.minimum-release-age and installer.minimum-release-age-exclude config options. Versions released more recently than the configured threshold are filtered out during dependency resolution, guarding against supply chain attacks on freshly published packages (inline with pnpm's minimumReleaseAge).

Upload time is sourced from the PEP 691 Simple API page already fetched for version listing, so no extra HTTP requests are made. HTML-only index pages fail open (no upload_time available). Glob patterns are supported in the exclude list.

Pull Request Check List

Resolves: #10646
Also discussed here: https://github.com/orgs/python-poetry/discussions/10555

• Added tests for changed code.
• Updated documentation for changed code.

Summary by Sourcery

Introduce configurable minimum release age filtering for dependency resolution to avoid using very recently published package versions.

New Features:

• Add installer.minimum-release-age config option to restrict dependency resolution to package versions older than a configured age.
• Add installer.minimum-release-age-exclude config option supporting glob patterns to bypass minimum-age checks for selected packages.
• Apply minimum release age checks in HTTP-based repositories when selecting candidate versions, failing open when upload time data is unavailable.

Tests:

• Add unit tests covering release age calculation, minimum-release-age filtering behavior, exclusion patterns, and fail-open semantics when upload time metadata is missing.

[sourcery-ai]

Reviewer's Guide

Implements configurable minimum release age filtering for package versions during dependency resolution, with optional pattern-based exclusions, using upload timestamps from the PEP 691 Simple API and updating configuration handling and tests accordingly.

Sequence diagram for dependency resolution with minimum release age filtering

sequenceDiagram
    actor Developer
    participant PoetryCLI
    participant Resolver
    participant HttpRepository
    participant LinkSource

    Developer->>PoetryCLI: run install_or_update
    PoetryCLI->>Resolver: resolve_dependencies()
    Resolver->>HttpRepository: _find_packages(name, constraint)
    HttpRepository->>LinkSource: versions(name)
    LinkSource-->>HttpRepository: version_list

    loop for each version in version_list
        HttpRepository->>HttpRepository: _version_meets_minimum_age(page, name, version)
        alt minimum_release_age_disabled
            HttpRepository-->>HttpRepository: return true
        else package_excluded_by_pattern
            HttpRepository-->>HttpRepository: return true
        else upload_time_available
            HttpRepository->>HttpRepository: _release_age_days(page, name, version)
            HttpRepository-->>HttpRepository: age_in_days
            alt age_in_days < minimum_release_age
                HttpRepository->>HttpRepository: _log(skip_message, level=debug)
                HttpRepository-->>HttpRepository: return false
            else age_in_days >= minimum_release_age
                HttpRepository-->>HttpRepository: return true
            end
        else no_upload_time_data
            HttpRepository-->>HttpRepository: return true
        end
        HttpRepository-->>Resolver: include_or_exclude_version
    end

    Resolver-->>PoetryCLI: resolved_package_set
    PoetryCLI-->>Developer: install selected_versions

Loading

Class diagram for new minimum release age configuration and repository filtering

classDiagram
    class Config {
        installer_minimum_release_age: int_or_none
        installer_minimum_release_age_exclude: list_string
        _get_normalizer(name: str) Callable
    }

    class HttpRepository {
        - _lazy_wheel: bool
        - _max_retries: int
        - _minimum_release_age: int_or_none
        - _minimum_release_age_exclude: list_string
        _release_age_days(page: LinkSource, name: NormalizedName, version: Any) int_or_none
        _is_release_age_excluded(name: NormalizedName) bool
        _version_meets_minimum_age(page: LinkSource, name: NormalizedName, version: Any) bool
    }

    class LegacyRepository {
        _find_packages(name: NormalizedName, constraint: Constraint) list_Package
    }

    class PyPiRepository {
        _find_packages(name: NormalizedName, constraint: Constraint) list_Package
    }

    Config ..> HttpRepository : provides_config
    HttpRepository <|-- LegacyRepository
    HttpRepository <|-- PyPiRepository

Loading

File-Level Changes

Change	Details	Files
Introduce minimum release age filtering logic in HTTP-based repositories, including age calculation, exclusion handling, and logging.	Add configuration-driven attributes for minimum release age and exclusion list to HTTPRepository Implement _release_age_days to derive age from link upload_time_isoformat values, failing with None when unavailable Implement glob-based exclusion helper _is_release_age_excluded against configured patterns Implement _version_meets_minimum_age to enforce age threshold while failing open when disabled, excluded, or upload time is missing, and log skipped versions at debug level	src/poetry/repositories/http_repository.py
Apply minimum release age filtering to legacy/PyPI repositories’ package discovery.	Update version iteration in LegacyRepository to filter out versions that do not meet the minimum age Update PyPiRepository JSON-based version discovery to use _version_meets_minimum_age for filtering	src/poetry/repositories/legacy_repository.py src/poetry/repositories/pypi_repository.py
Extend configuration to support minimum release age and exclusion list options with proper normalization.	Add installer.minimum-release-age and installer.minimum-release-age-exclude defaults to installer configuration Ensure installer.minimum-release-age is normalized as an int Add normalizer for installer.minimum-release-age-exclude that converts comma-separated strings or iterables into a list of trimmed strings	src/poetry/config/config.py
Add tests covering release age computation, minimum age filtering, exclusion patterns, and fail-open behavior.	Add tests for _release_age_days with and without upload_time data Add parameterized tests for minimum release age behavior in find_packages, including disabled, low, and very high thresholds Add parameterized tests for exclusion patterns (exact and glob) bypassing the age filter Add test verifying versions pass through when upload_time is unavailable despite a high minimum age	tests/repositories/test_pypi_repository.py

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#10646	Implement a mechanism in dependency resolution to defer use of newly released packages by excluding versions whose upload time is more recent than a user-configurable minimum age, while keeping current behavior as the default when not configured.	✅
#10646	Expose configuration options (via Poetry config and/or CLI) that allow users to set this minimum release age in days, with the default meaning the feature is disabled so existing behavior is unchanged.	✅

Possibly linked issues

• Support deferred updates / min release age #10646: PR introduces minimum-release-age and exclude config options, implementing deferred, age-based dependency updates requested in the issue.
• #unknown: PR implements deferred updates via installer.minimum-release-age(+exclude), matching the issue’s age-based dependency deferral request.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In _release_age_days, datetime.fromisoformat(link.upload_time_isoformat) will produce a naive datetime for most ISO strings and is then subtracted from datetime.now(timezone.utc), which is timezone-aware; make the parsed datetime explicitly timezone-aware (or use datetime.now() consistently) to avoid TypeError and subtle timezone issues.
• Consider wrapping the datetime.fromisoformat call in _release_age_days with a small helper or try/except that treats malformed upload_time_isoformat values as missing (returning None), so a single bad timestamp on a page does not break dependency resolution.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `_release_age_days`, `datetime.fromisoformat(link.upload_time_isoformat)` will produce a naive datetime for most ISO strings and is then subtracted from `datetime.now(timezone.utc)`, which is timezone-aware; make the parsed datetime explicitly timezone-aware (or use `datetime.now()` consistently) to avoid `TypeError` and subtle timezone issues.
- Consider wrapping the `datetime.fromisoformat` call in `_release_age_days` with a small helper or try/except that treats malformed `upload_time_isoformat` values as missing (returning `None`), so a single bad timestamp on a page does not break dependency resolution.

## Individual Comments

### Comment 1
<location path="src/poetry/repositories/http_repository.py" line_range="497-504" />
<code_context>
+        Return the age in days of the oldest distribution file for the given version,
+        or None if no upload_time data is available (e.g. HTML-only index pages).
+        """
+        upload_times = [
+            datetime.fromisoformat(link.upload_time_isoformat)
+            for link in page.links_for_version(name, version)
+            if link.upload_time_isoformat is not None
+        ]
+        if not upload_times:
+            return None
+        return (datetime.now(timezone.utc) - min(upload_times)).days
+
+    def _is_release_age_excluded(self, name: NormalizedName) -> bool:
</code_context>
<issue_to_address>
**issue (bug_risk):** Datetime parsing/timezone handling is likely to raise errors with PyPI-style timestamps and mixed aware/naive datetimes.

PyPI’s `upload_time_isoformat` values are ISO 8601 and may end with `Z` (UTC). On Python <3.11, `datetime.fromisoformat()` rejects `Z`, raising `ValueError`. Also, if `fromisoformat` returns naive datetimes, subtracting them from `datetime.now(timezone.utc)` (aware) will raise `TypeError`. Please normalize to timezone-aware UTC first (e.g., replace trailing `Z` with `+00:00` and use `.fromisoformat(...).astimezone(timezone.utc)`, or a helper that guarantees an aware UTC datetime) before doing the subtraction.
</issue_to_address>

### Comment 2
<location path="src/poetry/config/config.py" line_range="407-412" />
<code_context>
         }:
             return int_normalizer

+        if name == "installer.minimum-release-age-exclude":
+            return lambda val: (
+                [v.strip() for v in val.split(",")]
+                if isinstance(val, str)
+                else list(val)
+            )
+
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Normalizer for minimum-release-age-exclude could enforce string elements to avoid surprising values.

Right now strings are split/stripped, but non-strings are passed through as `list(val)`, so a YAML/JSON list like `[1, 2]` would reach `fnmatch`, which expects string patterns. Consider normalizing both branches to a `list[str]` (e.g. `str(x).strip()` for each entry) so the downstream matching logic always receives strings.

```suggestion
        if name == "installer.minimum-release-age-exclude":
            return lambda val: [
                str(v).strip()
                for v in (val.split(",") if isinstance(val, str) else val)
            ]
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[acdha]

The additions in this file have the same code as console.commands.config which seems like a recipe for unexpected behaviour. For example, this version does not apply the console version's check that the minimum release age is greater than zero.

[acdha]

Since the definition of this option is an optional list of glob separated strings, it's not clear that type check here is helpful and it could lead to some oddities (e.g. if I give it a list with a NoneType or bool the result will be […, "None", …]. It feels like this would be cleaner broken out into a function which could be used in both locations which returns an empty list when given a false-y value, does the string check to convert a single string to a list (esp. from POETRY_INSTALLER_MINIMUM_RELEASE_AGE_EXCLUDE), and then does filter(None, map(str.strip)) before returning it.