[ t128n ]

The recent LiteLLM PyPI embargo shook the software development community and served as yet another reminder that dependency hygiene isn’t optional.

But not everyone has the ressources to audit every dependency thoroughly. Sometimes the best you can do is just wait. That’s what dependency standback is all about. Before installing or upgrading software, you give it some time to “breathe” in the ecosystem. It doesn’t do anything magical: it simply gives the community time to find problems before they become your problems.

So how long should you wait? A grace period of 7-14 days is a solid default. But it depends on the speed of the ecosystem. An npm package allows for a shorter window than a Julia dependency, because the sheer volume of npm traffic means problems surface faster.

How It Works In Practice

Most modern package managers expose standback natively, with varying degrees of control. The JS ecosystem is the most mature here: npm covers the basics with --min-release-age, pnpm goes further with per-package exclusions via minimumReleaseAgeExclude — useful for whitelisting internal or trusted packages — and bun offers the finest granularity of the three, configuring the age gate down to the second.

On the Python side, uv supports standback out of the box via --exclude-newer. pip originally only accepted absolute dates, but as of version 26.1, it natively supports relative durations via the PnD format¹.

The OS and runtime layer is where things get inconsistent. mise handles it well, supporting both relative durations and absolute timestamps. brew and winget, however, don’t support standback at all. Their maintainers argue that existing review cycles make it unnecessary, a position Andrew Nesbitt expands on. I’m not fully convinced. Slip-ups happen, and malicious actors are patient. A review cycle and a grace period don’t have to be mutually exclusive.

Quick Reference

JavaScript

npm

• --before (date): Absolute date before which a package must have been published.
• --min-release-age (days): Relative date computed through today - n days, before which a package must have been published.

npm install --before 2024-01-01
npm install --min-release-age 4

before = 2024-01-01
min-release-age = 4

pnpm

• minimumReleaseAge (minutes): Number of minutes that must have passed since a package has been published.
• minimumReleaseAgeExclude (string[]): Names of packages which should not be affected by the minimumReleaseAge rule.

pnpm install --minimum-release-age 1440

minimumReleaseAge: 1440
minimumReleaseAgeExclude:
    - webpack
    - react

For more advanced logic, such as filtering by peerDependency versions, pnpm also exposes standback via .pnpmfile.cjs:

// Example taken from https://pnpm.io/blog/releases/10.16
module.exports = {
  finders: {
    react17: (ctx) => {
      return ctx.readManifest().peerDependencies?.react === "^17.0.0";
    },
  },
};

bun

• minimumReleaseAge (seconds): Number of seconds that must have passed since a package has been published.
• minimumReleaseAgeExcludes (string[]): Names of packages which should not be affected by the minimumReleaseAge rule.

bun add @types/bun --minimum-release-age 259200

[install]
minimumReleaseAge = 259200
minimumReleaseAgeExcludes = ["@types/node", "typescript"]

taze

• --maturity-period (days): Number of days that must have passed since a package has been published.

pnpm dlx taze --maturity-period 14

import { defineConfig } from "taze";

export default defineConfig({
  maturityPeriod: 14,
});

Python

uv

• --exclude-newer (date): Absolute timestamp before which packages must have been published.

uv pip install --exclude-newer 2026-01-01T00:00:00Z litellm
uv add --exclude-newer 2026-01-01T00:00:00Z litellm

[tool.uv]
exclude-newer = "2026-01-01T00:00:00Z"

[uv]
exclude-newer = "2026-01-01T00:00:00Z"

pip

• --uploaded-prior-to (date | duration): Absolute timestamp or relative duration (since pip 26.1).
• PIP_UPLOADED_PRIOR_TO (env): Global equivalent of --uploaded-prior-to.

As of pip 26.1, the PnD format (where n is the number of days) is supported for relative durations. For older versions or more complex offsets, a shell expression is still required:

# Native relative duration (pip 26.1+)
pip install litellm --uploaded-prior-to P7D

# Absolute timestamp
pip install litellm --uploaded-prior-to 2026-01-01T00:00:00Z

# Shell wrapper (pre-26.1)
pip install litellm --uploaded-prior-to $(date -v-3d "+%Y-%m-%dT%H:%M:%SZ")

# pip 26.1+
export PIP_UPLOADED_PRIOR_TO="P7D"

# pre-26.1
export PIP_UPLOADED_PRIOR_TO=$(date -u -v-3d "+%Y-%m-%dT%H:%M:%SZ")

$env:PIP_UPLOADED_PRIOR_TO = "P7D"

OS & Runtime

mise

• install_before (duration | date): Relative durations (7d, 6m, 1y) or absolute timestamps (2024-06-01, 2024-06-01T12:00:00Z).

[settings]
install_before = "7d"

brew & winget

Not supported, and not planned.