https://www.infoq.com InfoQ Package Managers feed https://www.infoq.com/news/2026/05/pip-261-dependency-cooldowns/?utm_campaign=infoq_content&utm_source=infoq&utm_medium=feed&utm_term=Package+Managers <img src="https://www.infoq.com/styles/static/images/logo/logo_bigger.jpg"/><p>Pip 26.1 ships dependency cooldowns that enforce a waiting period before newly published packages can be installed, and experimental pylock.toml lockfile support from PEP 751. Research shows a 7-day cooldown would have prevented 8 out of 10 analyzed supply chain attacks from reaching end users.</p> <i>By Steef-Jan Wiggers</i> Dependency Management Package Managers Software Supply Chain Development news Wed, 20 May 2026 10:04:00 GMT https://www.infoq.com/news/2026/05/pip-261-dependency-cooldowns/?utm_campaign=infoq_content&utm_source=infoq&utm_medium=feed&utm_term=Package+Managers Steef-Jan Wiggers 2026-05-20T10:04:00Z /news/2026/05/pip-261-dependency-cooldowns/en