feat: add a solver.min-release-age config option

Author: radoering

docs/configuration.md

@@ -395,6 +395,34 @@ Especially with slow network connections, this setting can speed up dependency r
 If the cache has already been filled or the server does not support HTTP range requests,
 this setting makes no difference.
 
+### `solver.min-release-age`
+
+**Type**: `int`
+
+**Default**: `0`
+
+**Environment Variable**: `POETRY_SOLVER_MIN_RELEASE_AGE`
+
+*Introduced in 2.4.0*
+
+Minimum age of a package release in **days** before it is considered during dependency resolution.
+When set, any package version where at least one distribution file was uploaded more recently
+than the specified number of days ago will be ignored by the solver.
+
+For example, with a value of `7`, a version is only considered
+if all known distribution files are at least seven days old.
+If the option is not set or set to `0`, all versions are considered.
+
+This option is useful to protect against supply chain attacks where a new release
+of a dependency is published with malicious code.
+This is often detected within hours or days and the compromised release is removed.
+
+{{% note %}}
+This filter can only be enforced for package sources that expose file upload timestamps.
+If a source does not provide upload times for a release,
+that release is not filtered out by this setting.
+{{% /note %}}
+
 ### `system-git-client`
 
 **Type**: `boolean`

src/poetry/config/config.py

@@ -174,6 +174,7 @@ class Config:
         "python": {"installation-dir": os.path.join("{data-dir}", "python")},
         "solver": {
             "lazy-wheel": True,
+            "min-release-age": 0,
         },
         "system-git-client": False,
         "keyring": {
@@ -398,6 +399,7 @@ def _get_normalizer(name: str) -> Callable[[str], Any]:
         if name in {
             "installer.max-workers",
             "requests.max-retries",
+            "solver.min-release-age",
         }:
             return int_normalizer
 

src/poetry/console/commands/config.py

@@ -102,6 +102,7 @@ def unique_config_values(self) -> dict[str, tuple[Any, Any]]:
                 PackageFilterPolicy.normalize,
             ),
             "solver.lazy-wheel": (boolean_validator, boolean_normalizer),
+            "solver.min-release-age": (lambda val: int(val) >= 0, int_normalizer),
             "keyring.enabled": (boolean_validator, boolean_normalizer),
             "python.installation-dir": (str, lambda val: str(Path(val))),
         }

src/poetry/puzzle/solver.py

@@ -86,28 +86,34 @@ def solve(
     ) -> Transaction:
         from poetry.puzzle.transaction import Transaction
 
-        with self._progress(), self._provider.use_latest_for(use_latest or []):
-            start = time.time()
-            packages = self._solve()
-            # simplify markers by removing redundant information
-            for transitive_info in packages.values():
-                for group, marker in transitive_info.markers.items():
-                    transitive_info.markers[group] = simplify_marker(
-                        marker, self._package.python_constraint
+        try:
+            with self._progress(), self._provider.use_latest_for(use_latest or []):
+                start = time.time()
+                packages = self._solve()
+                # simplify markers by removing redundant information
+                for transitive_info in packages.values():
+                    for group, marker in transitive_info.markers.items():
+                        transitive_info.markers[group] = simplify_marker(
+                            marker, self._package.python_constraint
+                        )
+                end = time.time()
+
+                if len(self._overrides) > 1:
+                    self._provider.debug(
+                        # ignore the warning as provider does not do interpolation
+                        f"Complete version solving took {end - start:.3f}"
+                        f" seconds with {len(self._overrides)} overrides"
                     )
-            end = time.time()
+                    self._provider.debug(
+                        # ignore the warning as provider does not do interpolation
+                        "Resolved with overrides:"
+                        f" {', '.join(f'({b})' for b in self._overrides)}"
+                    )
+        except SolverProblemError:
+            self._pool.log_age_filtered_versions(level="warning")
+            raise
 
-            if len(self._overrides) > 1:
-                self._provider.debug(
-                    # ignore the warning as provider does not do interpolation
-                    f"Complete version solving took {end - start:.3f}"
-                    f" seconds with {len(self._overrides)} overrides"
-                )
-                self._provider.debug(
-                    # ignore the warning as provider does not do interpolation
-                    "Resolved with overrides:"
-                    f" {', '.join(f'({b})' for b in self._overrides)}"
-                )
+        self._pool.log_age_filtered_versions(level="info")
 
         for p in packages:
             if p.yanked:

src/poetry/repositories/http_repository.py

@@ -5,6 +5,9 @@
 
 from contextlib import contextmanager
 from contextlib import suppress
+from datetime import datetime
+from datetime import timedelta
+from datetime import timezone
 from pathlib import Path
 from tempfile import TemporaryDirectory
 from typing import TYPE_CHECKING
@@ -14,6 +17,8 @@
 import requests.adapters
 
 from packaging.metadata import parse_email
+from poetry.core.constraints.version import Version
+from poetry.core.constraints.version import VersionConstraint
 from poetry.core.constraints.version import parse_constraint
 from poetry.core.packages.dependency import Dependency
 from poetry.core.version.markers import parse_marker
@@ -36,9 +41,11 @@
 
 
 if TYPE_CHECKING:
+    from collections.abc import Iterable
     from collections.abc import Iterator
 
     from packaging.utils import NormalizedName
+    from poetry.core.packages.package import Package
     from poetry.core.packages.package import PackageFile
     from poetry.core.packages.utils.link import Link
 
@@ -71,6 +78,14 @@ def __init__(
 
         self._lazy_wheel = config.get("solver.lazy-wheel", True)
         self._max_retries = config.get("requests.max-retries", 0)
+
+        self._min_release_age = config.get("solver.min-release-age", 0)
+        self._min_release_age_cutoff: datetime | None = None
+        if self._min_release_age:
+            self._min_release_age_cutoff = datetime.now(tz=timezone.utc) - timedelta(
+                days=self._min_release_age
+            )
+        self._age_filtered_versions: dict[NormalizedName, set[Version]] = {}
         # We are tracking if a domain supports range requests or not to avoid
         # unnecessary requests.
         # ATTENTION: A domain might support range requests only for some files, so the
@@ -119,6 +134,64 @@ def _cached_or_downloaded_file(
             )
             yield filepath
 
+    def _package(
+        self, name: NormalizedName, version: Version, yanked: str | bool
+    ) -> Package:
+        raise NotImplementedError
+
+    def _is_version_too_recent(self, links: Iterable[Link]) -> bool:
+        """Return True if any file of the version was uploaded after the cutoff.
+
+        If no upload time information is available for any file,
+        the version is considered old enough (return False).
+        """
+        if not self._min_release_age_cutoff:
+            return False
+        for link in links:
+            upload_time = link.upload_time
+            if upload_time is None:
+                continue
+            if upload_time > self._min_release_age_cutoff:
+                return True
+        return False
+
+    def _find_packages(
+        self, name: NormalizedName, constraint: VersionConstraint
+    ) -> list[Package]:
+        """
+        Find packages on the remote server.
+        """
+        try:
+            page = self.get_page(name)
+        except PackageNotFoundError:
+            self._log(f"No packages found for {name}", level="debug")
+            return []
+
+        versions = [
+            (version, page.yanked(name, version))
+            for version in page.versions(name)
+            if constraint.allows(version)
+        ]
+
+        if self._min_release_age_cutoff is not None:
+            filtered_out: set[Version] = set()
+            accepted: list[tuple[Version, str | bool]] = []
+            for version, yanked in versions:
+                if self._is_version_too_recent(page.links_for_version(name, version)):
+                    filtered_out.add(version)
+                else:
+                    accepted.append((version, yanked))
+            if filtered_out:
+                self._age_filtered_versions[name] = filtered_out
+                self._log(
+                    f"Ignoring {name} version(s) due to "
+                    f"solver.min-release-age={self._min_release_age}: {versions}",
+                    level="debug",
+                )
+            versions = accepted
+
+        return [self._package(name, version, yanked) for version, yanked in versions]
+
     def _get_info_from_wheel(self, link: Link) -> PackageInfo:
         from poetry.inspection.info import PackageInfo
 
@@ -477,3 +550,17 @@ def _get_page(self, name: NormalizedName) -> LinkSource:
         if self._is_json_response(response):
             return SimpleJsonPage(response.url, response.json())
         return HTMLPage(response.url, response.text)
+
+    def log_age_filtered_versions(self, *, level: str) -> None:
+        if not self._age_filtered_versions:
+            return
+        self._log(
+            "The following packages versions were ignored"
+            f" due to solver.min-release-age={self._min_release_age}",
+            level=level,
+        )
+        for name in sorted(self._age_filtered_versions):
+            versions = ", ".join(
+                str(v) for v in sorted(self._age_filtered_versions[name])
+            )
+            self._log(f"{name}: {versions}", level=level)

src/poetry/repositories/legacy_repository.py

@@ -20,7 +20,6 @@
 if TYPE_CHECKING:
     from packaging.utils import NormalizedName
     from poetry.core.constraints.version import Version
-    from poetry.core.constraints.version import VersionConstraint
     from poetry.core.packages.utils.link import Link
 
     from poetry.config.config import Config
@@ -79,35 +78,17 @@ def find_links_for_package(self, package: Package) -> list[Link]:
 
         return list(page.links_for_version(package.name, package.version))
 
-    def _find_packages(
-        self, name: NormalizedName, constraint: VersionConstraint
-    ) -> list[Package]:
-        """
-        Find packages on the remote server.
-        """
-        try:
-            page = self.get_page(name)
-        except PackageNotFoundError:
-            self._log(f"No packages found for {name}", level="debug")
-            return []
-
-        versions = [
-            (version, page.yanked(name, version))
-            for version in page.versions(name)
-            if constraint.allows(version)
-        ]
-
-        return [
-            Package(
-                name,
-                version,
-                source_type="legacy",
-                source_reference=self.name,
-                source_url=self._url,
-                yanked=yanked,
-            )
-            for version, yanked in versions
-        ]
+    def _package(
+        self, name: NormalizedName, version: Version, yanked: str | bool
+    ) -> Package:
+        return Package(
+            name,
+            version,
+            source_type="legacy",
+            source_reference=self.name,
+            source_url=self._url,
+            yanked=yanked,
+        )
 
     def _get_release_info(
         self, name: NormalizedName, version: Version

src/poetry/repositories/pypi_repository.py

@@ -30,7 +30,6 @@
 if TYPE_CHECKING:
     from packaging.utils import NormalizedName
     from poetry.core.constraints.version import Version
-    from poetry.core.constraints.version import VersionConstraint
 
     from poetry.config.config import Config
 
@@ -102,25 +101,10 @@ def get_package_info(self, name: NormalizedName) -> dict[str, Any]:
         """
         return self._get_package_info(name)
 
-    def _find_packages(
-        self, name: NormalizedName, constraint: VersionConstraint
-    ) -> list[Package]:
-        """
-        Find packages on the remote server.
-        """
-        try:
-            json_page = self.get_page(name)
-        except PackageNotFoundError:
-            self._log(f"No packages found for {name}", level="debug")
-            return []
-
-        versions = [
-            (version, json_page.yanked(name, version))
-            for version in json_page.versions(name)
-            if constraint.allows(version)
-        ]
-
-        return [Package(name, version, yanked=yanked) for version, yanked in versions]
+    def _package(
+        self, name: NormalizedName, version: Version, yanked: str | bool
+    ) -> Package:
+        return Package(name, version, yanked=yanked)
 
     def _get_package_info(self, name: NormalizedName) -> dict[str, Any]:
         headers = {"Accept": "application/vnd.pypi.simple.v1+json"}

src/poetry/repositories/repository.py

@@ -109,3 +109,6 @@ def package(self, name: str, version: Version) -> Package:
                 return package
 
         raise PackageNotFoundError(f"Package {name} ({version}) not found.")
+
+    def log_age_filtered_versions(self, *, level: str) -> None:
+        pass

src/poetry/repositories/repository_pool.py

@@ -189,3 +189,7 @@ def refresh(self, package: Package) -> Package:
         if isinstance(repo, CachedRepository):
             repo.forget(package.name, package.version)
         return repo.package(package.name, package.version)
+
+    def log_age_filtered_versions(self, *, level: str) -> None:
+        for repo in self.repositories:
+            repo.log_age_filtered_versions(level=level)

tests/config/test_config.py

@@ -43,9 +43,10 @@ def get_options_based_on_normalizer(normalizer: Normalizer) -> Iterator[str]:
         ("installer.parallel", True),
         ("virtualenvs.create", True),
         ("requests.max-retries", 0),
+        ("solver.min-release-age", 0),
     ],
 )
-def test_config_get_default_value(config: Config, name: str, value: bool) -> None:
+def test_config_get_default_value(config: Config, name: str, value: bool | int) -> None:
     assert config.get(name) is value