Skip to content

lincolnloop/gestate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
src/gestate
src/gestate
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
RELEASE.md
RELEASE.md
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 
zensical.toml
zensical.toml
 
 

Repository files navigation

gestate

Set a minimum release age on local package managers so installs ignore versions younger than N days. Most malicious packages are caught and yanked within days of publishing; refusing fresh versions blocks the bulk of supply-chain attacks.

Run

uvx gestate                  # interactive
uvx gestate set 3            # 3-day minimum, installed tools only
uvx gestate set 3 --all      # also pre-configure file-based tools (bun, deno, uv)
uvx gestate revert           # remove gestate's settings
uvx gestate explain bun      # show how one tool's setting is stored

Interactive mode always shows a plan and asks for explicit confirmation before touching anything. The subcommands skip the confirm — meant for scripts, not your daily shell. Running with no subcommand outside a TTY exits with an error.

Plain text output is used when stdout isn't a terminal (no Rich tables/colors).

What it sets

Tool Where Key (unit)
npm ~/.npmrc min-release-age (days)
pnpm global pnpm config minimumReleaseAge (minutes)
yarn ~/.yarnrc.yml (4.10+) npmMinimalAgeGate (minutes)
bun ~/.bunfig.toml [install] minimumReleaseAge (seconds)
deno shell profile alias deno='command deno --minimum-dependency-age=P<N>D'
pip user pip config global.uploaded-prior-to (P<N>D)
uv ~/.config/uv/uv.toml exclude-newer ("N days")

gestate explain <tool> prints that tool's current value and the exact mechanism set / revert use.

Scope:

  • default — only configure installed tools
  • --all — also pre-write config files for bun, deno, uv even if they aren't installed yet

Revert

uvx gestate revert removes everything gestate set:

  • CLI tools — config delete / config unset
  • bun / uv — remove the key; delete the file if it was the only key
  • deno — remove our alias line; leave foreign alias deno= lines alone

Backups (.bak) are written next to any edited shell-profile or TOML file.

Allowlists

If you publish packages of your own and want them exempt from the delay, see docs/allowlists.md. Most managers support an exclude list; npm and pip don't yet.

Caveats

  • yarn: 4.10+ only. Older yarn is detected and skipped.
  • deno: no global config exists; the shell alias only covers interactive shells. For CI, pass --minimum-dependency-age=P<N>D to deno install/deno update, or commit a project deno.json with "minimumDependencyAge": "P<N>D".
  • npm exclude: tracked in npm/cli#8994.
  • pip exclude: none — global.uploaded-prior-to is global only.

For PR-creation guards (Dependabot, Renovate) and adjacent layers, see docs/complementary.md.

Development

uv sync
uv run pytest

Requires Python 3.11+, macOS or Linux.

About

Block fresh package versions to defend against zero-day supply-chain attacks.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages