Pip 26.1 ships dependency cooldowns that enforce a waiting period before newly published packages can be installed, and experimental pylock.toml lockfile support from PEP 751. Research shows a 7-day c

InfoQ is a leading online platform for software developers, architects, and technical leaders, providing news, articles, presentations, and interviews on a wide range of topics, including agile practices, DevOps, microservices, and emerging technologies. With a focus on quality content and expert insights, InfoQ helps professionals stay informed about the latest trends, best practices, and industry developments. Developers can learn from real-world experiences, gain  knowledge, and connect with peers in the global software community through InfoQ's diverse and engaging content.

InfoQ

Pip 26.1 introduces two major features: dependency cooldowns via the --uploaded-prior-to flag, which prevents installation of packages published within a configurable time window (e.g., 7 days), and experimental pylock.toml lockfile support from PEP 751. Research shows a 7-day cooldown would have blocked 8 out of 10 analyzed supply chain attacks. The lockfile support means pip install -r pylock.toml now works natively, giving pylock.toml a path to widespread adoption since pip ships with every Python installation. The release also patches two CVEs (including an arbitrary code execution hole) and upgrades vendored urllib3 to 2.6.3. Community discussion centers on whether pip's lockfile support matters given uv's rapid adoption, with some raising governance concerns about OpenAI's acquisition of Astral.

Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain Attacks