Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain Attacks

· Source: InfoQ · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy · Depth: Intermediate, short

Summary

Pip 26.1, released last week, introduces dependency cooldowns and experimental "pylock.toml" lockfile support to enhance Python package supply chain security. Dependency cooldowns, enabled by "--uploaded-prior-to=P7D", prevent installation of packages published within a specified period, aiming to mitigate supply chain attacks by allowing time for detection. Analysis shows a 7-day cooldown would have prevented 80% of past attacks. However, this feature requires pairing with tools like Dependabot to avoid delaying critical security fixes. The release also adds experimental support for "pylock.toml" from PEP 751, allowing "pip install -r pylock.toml" to function, which is crucial for its widespread adoption given pip's default inclusion with Python. This lockfile support is experimental, with a "pip sync" command planned. Additionally, Pip 26.1 patched two CVEs (CVE-2026-3219 and CVE-2026-6357), updated vendored urllib3 to 2.6.3, and dropped support for Python 3.9.

Key takeaway

For DevOps Engineers managing Python dependencies in CI/CD pipelines, you should immediately consider implementing dependency cooldowns with Pip 26.1's "--uploaded-prior-to" flag. This significantly reduces your exposure to rapid supply chain attacks. While this may delay legitimate security fixes, you must integrate tools like Dependabot or pip-audit to monitor for critical patches. Additionally, begin experimenting with "pylock.toml" for more reproducible and secure builds, preparing for its eventual stable release and widespread adoption.

Key insights

Pip 26.1 enhances Python supply chain security through dependency cooldowns and experimental "pylock.toml" lockfile support.

Principles

Method

Implement dependency cooldowns using "pip install --uploaded-prior-to=P7D" to delay new package pulls. Install from lockfiles via "pip install -r pylock.toml".

In practice

Topics

Best for: CTO, VP of Engineering/Data, AI Architect, AI Security Engineer, Software Engineer, DevOps Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.