📝 Add dependency cooldowns

Author: veit

docs/libs/install.rst

@@ -182,9 +182,9 @@ dependencies.
    updates. We only restrict the version numbers to be used in the event of
    problems. For apps, however, we specify the version numbers.
 
-We use `PDM <https://pdm-project.org/en/latest>`_ to specify the versions for
-our applications and maintain cross-platform lock files. PDM also supports the
-management of virtual environments with ``pdm venv activate``.
+To pin versions for our applications and maintain cross-platform lock files, we
+use :ref:`uv`. ``uv`` also helps us maintain :ref:`reproducible Python
+environments <reproduce-virtual-env>`.
 
 … of Python
 :::::::::::

docs/packs/apps.rst

@@ -125,6 +125,29 @@ With ``uv lock --upgrade`` you can upgrade all packages and with :samp:`uv lock
 --upgrade-package {PACKAGE}=={VERSION}` you can upgrade individual packages to a
 specific version.
 
+.. _dependency-cooldowns:
+
+.. tip::
+   To prevent the installation of packages that have only recently been
+   published on :term:`PyPI`, thereby giving PyPI administrators the opportunity
+   to respond to malware, *dependency cooldowns* are recommended. These are best
+   configured globally in :file:`~/.config/uv/uv.toml`:
+
+   .. code-block:: toml
+
+      exclude-newer = "P3D"
+
+   ``P3D`` specifies that only packages that are three days old or older should
+   be installed, with the date format conforming to :rfc:`3339`.
+
+   However, *dependency cooldowns* are not a panacea. If a package containing
+   security vulnerabilities needs to be replaced with a more recent version as
+   quickly as possible, the *dependency cooldowns* can be bypassed using
+
+   .. code-block:: console
+
+      $ uv sync --exclude-newer-package "{PACKAGE}=P0D"
+
 .. tip::
    You can also use the
    :doc:`Python4DataScience:productive/git/advanced/hooks/pre-commit` to