chore: add exclude-newer = 3 days to all pyproject.toml files

greysonlalonde · web-flow · commit ce99312db180 · 2026-04-04T02:02:58.000+08:00
diff --git a/docs/en/installation.mdx b/docs/en/installation.mdx
@@ -171,6 +171,9 @@ We recommend using the `YAML` template scaffolding for a structured approach to
       ```shell
       uv add <package-name>
       ```
+      <Note>
+        As a supply-chain security measure, CrewAI's internal packages use `exclude-newer = "3 days"` in their `pyproject.toml` files. This means transitive dependencies pulled in by CrewAI won't resolve packages released less than 3 days ago. Your own direct dependencies are not affected by this policy. If you notice a transitive dependency is behind, you can pin the version you want explicitly in your project's dependencies.
+      </Note>
     - To run your crew, execute the following command in the root of your project:
       ```bash
       crewai run
diff --git a/lib/crewai-files/pyproject.toml b/lib/crewai-files/pyproject.toml
@@ -17,6 +17,9 @@ dependencies = [
     "av~=13.0.0",
 ]
 
+[tool.uv]
+exclude-newer = "3 days"
+
 [build-system]
 requires = ["hatchling"]
 build-backend = "hatchling.build"
diff --git a/lib/crewai-tools/pyproject.toml b/lib/crewai-tools/pyproject.toml
@@ -142,6 +142,9 @@ contextual = [
 ]
 
 
+[tool.uv]
+exclude-newer = "3 days"
+
 [build-system]
 requires = ["hatchling"]
 build-backend = "hatchling.build"
diff --git a/lib/crewai/pyproject.toml b/lib/crewai/pyproject.toml
@@ -115,6 +115,9 @@ qdrant-edge = [
 crewai = "crewai.cli.cli:crewai"
 
 
+[tool.uv]
+exclude-newer = "3 days"
+
 # PyTorch index configuration, since torch 2.5.0 is not compatible with python 3.13
 [[tool.uv.index]]
 name = "pytorch-nightly"
diff --git a/lib/devtools/pyproject.toml b/lib/devtools/pyproject.toml
@@ -25,6 +25,9 @@ release = "crewai_devtools.cli:release"
 docs-check = "crewai_devtools.docs_check:docs_check"
 devtools = "crewai_devtools.cli:main"
 
+[tool.uv]
+exclude-newer = "3 days"
+
 [build-system]
 requires = ["hatchling"]
 build-backend = "hatchling.build"
diff --git a/pyproject.toml b/pyproject.toml
@@ -160,6 +160,7 @@ info = "Commits must follow Conventional Commits 1.0.0."
 
 
 [tool.uv]
+exclude-newer = "3 days"
 
 # composio-core pins rich<14 but textual requires rich>=14.
 # onnxruntime 1.24+ dropped Python 3.10 wheels; cap it so qdrant[fastembed] resolves on 3.10.

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,9 @@ dependencies = [`
`17`	`17`	`"av~=13.0.0",`
`18`	`18`	`]`
`19`	`19`
	`20`	`+[tool.uv]`
	`21`	`+exclude-newer = "3 days"`
	`22`	`+`
`20`	`23`	`[build-system]`
`21`	`24`	`requires = ["hatchling"]`
`22`	`25`	`build-backend = "hatchling.build"`
Original file line number	Diff line number	Diff line change
`@@ -142,6 +142,9 @@ contextual = [`
`142`	`142`	`]`
`143`	`143`
`144`	`144`
	`145`	`+[tool.uv]`
	`146`	`+exclude-newer = "3 days"`
	`147`	`+`
`145`	`148`	`[build-system]`
`146`	`149`	`requires = ["hatchling"]`
`147`	`150`	`build-backend = "hatchling.build"`