SectorLabs / django-postgres-extra / 6a2c0220-8112-42dd-8dde-0419d4ff8cfe
83%
master: 83%

LAST BUILD BRANCH: dependabot/uv/black-25.11.0
DEFAULT BRANCH: master
Ran
Jobs 1
Files 90
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 83.305%. Remained the same
6a2c0220-8112-42dd-8dde-0419d4ff8cfe

Pull #277

circleci

sewi-cpan 
Add 3-day dependency cooldown via uv

Refuse to resolve any package version published less than 3 days ago.
The community typically flags malicious PyPI releases within hours;
a 3-day quarantine catches almost all of them before they reach the
lockfile or, more importantly, a developer's laptop.

Triggering incident: on 2026-03-24 the TeamPCP threat actor published
backdoored litellm 1.82.7/1.82.8 to PyPI after compromising LiteLLM's
CI through a poisoned Trivy GitHub Action.  The payload was a `.pth`
file that ran on every Python process - not just `litellm` imports -
stealing SSH keys, cloud credentials, and API keys.  Live for ~3h
before PyPI quarantined them; a 3-day cooldown would have prevented
all exposure.
https://simonwillison.net/2026/Mar/24/package-managers-need-to-cool-down/

Pip has no native cooldown, so this migrates the dev workflow to uv
with a committed lockfile:

- pyproject.toml gains [build-system], [project] (PEP 621, migrated
  from setup.py), [tool.setuptools.*], and [tool.uv] with
  required-version = ">=0.11.2", exclude-newer = "3 days", and
  environments = ["python_version >= '3.11'"].  setup.py is removed.
- uv.lock is committed; its [options] block carries
  exclude-newer-span = "P3D".
- Python 3.6 is dropped from CI / tox / classifiers - PEP 621 needs
  setuptools >= 61 which is 3.7+.  3.6 EOL'd Dec 2021, py37's tox env
  already covers every Django+psycopg combo py36 used to share, and
  end users on 3.6 still get the published wheel (wheel installs do
  not trigger [build-system]).
- CircleCI's matrix testing stays on pip (3.7-3.13).  Per the threat
  model, CI is "minor" compared to laptop installs; the cooldown's
  primary value lives in the committed uv.lock and the dev `uv sync`
  workflow.
- README's "Getting started" switches from virtualenv + pip to
  `uv sync --extra dev --extra test`.

Verified: `uv lock` resolves 104 packages cleanly with no missing
upload-time warnings.  Negative test - pinning joust==1.1.0
... (continued)
Pull Request #277: Add 3-day dependency cooldown via uv

2435 of 2923 relevant lines covered (83.3%)

0.83 hits per line

Jobs
ID Job ID Ran Files Coverage
1 6a2c0220-8112-42dd-8dde-0419d4ff8cfe.1 90
83.3
 CircleCI Job
Source Files on build 6a2c0220-8112-42dd-8dde-0419d4ff8cfe