diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6778b0493a..b0ab927c90 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,12 @@ updates:
     directory: '/'
     schedule:
       interval: 'daily'
+    cooldown:
+      default-days: 1
+
+  - package-ecosystem: 'pip'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+    cooldown:
+      default-days: 1
diff --git a/.github/workflows/check_api_ref.yml b/.github/workflows/check_api_ref.yml
index 00c671c6b6..8d69b81fec 100644
--- a/.github/workflows/check_api_ref.yml
+++ b/.github/workflows/check_api_ref.yml
@@ -65,7 +65,9 @@ jobs:
 
       - name: Install Hatch
         if: steps.changed.outputs.needs_check == 'true'
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Generate API references
         if: steps.changed.outputs.needs_check == 'true'
diff --git a/.github/workflows/docs-website-test-docs-snippets.yml b/.github/workflows/docs-website-test-docs-snippets.yml
index 16864c84dd..99aad642f7 100644
--- a/.github/workflows/docs-website-test-docs-snippets.yml
+++ b/.github/workflows/docs-website-test-docs-snippets.yml
@@ -38,7 +38,9 @@ jobs:
           python-version: '3.11'
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Generate API reference for Docusaurus
         run: hatch run docs
@@ -46,7 +48,7 @@ jobs:
       - name: Install base dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install requests toml
+          pip install requests toml --uploaded-prior-to=P1D
 
       - name: Run snippet tests (verbose)
         shell: bash
diff --git a/.github/workflows/docs_search_sync.yml b/.github/workflows/docs_search_sync.yml
index 75c9b17e84..0cb6383b61 100644
--- a/.github/workflows/docs_search_sync.yml
+++ b/.github/workflows/docs_search_sync.yml
@@ -38,7 +38,9 @@ jobs:
       - name: Install script dependencies
         # sniffio is needed because of https://github.com/deepset-ai/deepset-cloud-sdk/issues/286
         # we pin pyrate-limiter due to https://github.com/deepset-ai/deepset-cloud-sdk/issues/295
-        run: pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4"
+        run: |
+          python -m pip install --upgrade pip
+          pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4" --uploaded-prior-to=P1D
 
       - name: Update new docs to Search pipeline and remove outdated docs
         env:
diff --git a/.github/workflows/docusaurus_sync.yml b/.github/workflows/docusaurus_sync.yml
index 7608187fcd..2304903939 100644
--- a/.github/workflows/docusaurus_sync.yml
+++ b/.github/workflows/docusaurus_sync.yml
@@ -30,7 +30,9 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Generate API reference for Docusaurus
         run: hatch run docs
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 9cae97d6db..69632cd7ba 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -34,7 +34,9 @@ jobs:
         python-version: "${{ env.PYTHON_VERSION }}"
 
     - name: Install Hatch
-      run: pip install hatch==${{ env.HATCH_VERSION }}
+      run: |
+        python -m pip install --upgrade pip
+        pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
     - name: Run tests
       run: hatch run e2e:test
diff --git a/.github/workflows/github_release.yml b/.github/workflows/github_release.yml
index 4a233a8104..64142e1580 100644
--- a/.github/workflows/github_release.yml
+++ b/.github/workflows/github_release.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Install reno
         run: |
           python -m pip install --upgrade pip
-          pip install "reno<5"
+          pip install "reno<5" --uploaded-prior-to=P1D
 
       # Remove next version rc0 tag in the CI environment to prevent reno from assigning notes to future releases.
       # This ensures release notes are correctly aggregated for the current version.
diff --git a/.github/workflows/license_compliance.yml b/.github/workflows/license_compliance.yml
index bd1b0c97e6..f8c4950764 100644
--- a/.github/workflows/license_compliance.yml
+++ b/.github/workflows/license_compliance.yml
@@ -29,7 +29,8 @@ jobs:
 
       - name: Get direct dependencies
         run: |
-          pip install toml
+          python -m pip install --upgrade pip
+          pip install toml --uploaded-prior-to=P1D
           python .github/utils/pyproject_to_requirements.py pyproject.toml > ${{ env.REQUIREMENTS_FILE }}
 
       - name: Check Licenses
diff --git a/.github/workflows/nightly_testpypi_release.yml b/.github/workflows/nightly_testpypi_release.yml
index 7f2a5e610a..a8bc59d4c6 100644
--- a/.github/workflows/nightly_testpypi_release.yml
+++ b/.github/workflows/nightly_testpypi_release.yml
@@ -36,7 +36,9 @@ jobs:
           echo "Building haystack-ai version: ${NIGHTLY_VERSION}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Build Haystack
         run: hatch build
diff --git a/.github/workflows/pypi_release.yml b/.github/workflows/pypi_release.yml
index ef92315463..75d3993eeb 100644
--- a/.github/workflows/pypi_release.yml
+++ b/.github/workflows/pypi_release.yml
@@ -22,7 +22,9 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Build Haystack
         run: hatch build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 08843b40f0..045b51f45e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -175,7 +175,9 @@ jobs:
           python-version: "3.13"
 
       - name: Install tomlkit
-        run: pip install tomlkit
+        run: |
+          python -m pip install --upgrade pip
+          pip install tomlkit --uploaded-prior-to=P1D
 
       - name: Update haystack-ai in uv.lock
         run: python haystack/.github/utils/update_haystack_dc_custom_nodes.py "${{ env.VERSION }}" deepset-cloud-custom-nodes/uv.lock
diff --git a/.github/workflows/release_notes.yml b/.github/workflows/release_notes.yml
index 268e41e2c2..b6bc54a504 100644
--- a/.github/workflows/release_notes.yml
+++ b/.github/workflows/release_notes.yml
@@ -51,7 +51,8 @@ jobs:
       - name: Verify release notes formatting
         if: steps.changed-files.outputs.any_changed == 'true' && !contains( github.event.pull_request.labels.*.name, 'ignore-for-release-notes')
         run: |
-          pip install "reno<5"
+          python -m pip install --upgrade pip
+          pip install "reno<5" --uploaded-prior-to=P1D
           reno lint .  # it is not possible to pass a list of files to reno lint
 
       - name: Check reStructuredText code formatting
diff --git a/.github/workflows/slow.yml b/.github/workflows/slow.yml
index 79081c031f..6660b9ffb0 100644
--- a/.github/workflows/slow.yml
+++ b/.github/workflows/slow.yml
@@ -139,7 +139,8 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Run Tika
         if: matrix.os == 'ubuntu-latest'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index daddef7659..3a9b0845e4 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -78,7 +78,9 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Ruff - check format and linting
         run: hatch run fmt-check
@@ -97,7 +99,9 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Check imports
         run: hatch run python .github/utils/check_imports.py
@@ -125,7 +129,8 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Run
@@ -177,7 +182,8 @@ jobs:
         id: hatch
         if: steps.files.outputs.any_changed == 'true'
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Mypy
@@ -202,7 +208,8 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
 
@@ -228,7 +235,8 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -260,7 +268,8 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Run
diff --git a/pyproject.toml b/pyproject.toml
index 40a549bc96..1256a1fcbc 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -363,5 +363,13 @@ ignore = [
 "test/tools/test_parameters_schema_utils.py" = ["UP007"]
 "test/utils/test_type_serialization.py" = ["UP006", "UP007", "UP035", "UP045"]
 
+[tool.uv]
+# Exclude package versions published within the last 24 hours to protect against supply chain
+# attacks via compromised dependencies. uv resolves this relative to the current clock at
+# install/lock time, so no manual date updates are needed.
+# First-party packages are exempted so freshly published releases are always resolvable.
+exclude-newer = "24 hours"
+exclude-newer-package = { haystack-experimental = "0 days", haystack-pydoc-tools = "0 days" }
+
 [tool.coverage.run]
 omit = ["haystack/testing/*"]