Support quarantine

[alexbruyelles]

Issue Kind

Brand new capability

Description

Hello,

Thank you for your great work with poetry

An effective security method is to defer the use of dependencies: give it some time between the release time and the application in your project (depending on the environment etc)

poetry could implement that feature, perhaps through a dedicated new command line argument (and/or a default configuration in pyproject.toml)

The current behavior would be kept by default

The argument would be a number of days (strictly > 0)

poetry would exclude all packages whose upload-time is lower than now - timedelta(days=number_of_days)

Dependencies resolution would then process as usual

(this is a bit like the processing of the "yanked" package status)

Best regards,

Impact

This would help people increase the security of their project (optionally)

Workarounds

None known

[radoering]

Related discussion: https://github.com/orgs/python-poetry/discussions/10555

State of the art:

• pnpm: minimumReleaseAge
• dependabot: cooldown
• renovate: minimumReleaseAge
• bun: minimumReleaseAge

[NyanKiyoshi]

Related discussion: https://github.com/orgs/python-poetry/discussions/10555

State of the art:

* pnpm: [minimumReleaseAge](https://pnpm.io/settings#minimumreleaseage)

* dependabot: [cooldown](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-)

* renovate: [minimumReleaseAge](https://docs.renovatebot.com/key-concepts/minimum-release-age/#minimum-release-age)

* bun: [minimumReleaseAge](https://bun.com/docs/runtime/bunfig#install-minimumreleaseage)

One more example, closer to home: uv recently added two new settings:

• exclude-newer, e.g., 1 week (relative times are not yet documented at the time of writing but supported since v0.9.17)
• exclude-newer-package, allows to override the behavior on a per-package basis, one important use-case for that is for example: there is a critical vulnerability in MyDependency, thus we need to manually allow the new version to be installed even if it's been very recently released (without such setting we wouldn't be able to install urgent fixes)