@scientific-python/nightly-wheels-developers this is ready for review.

• To weakly guard against security issues that are introduced in new uploads to conda-forge, add a 30 day exclusion window for Pixi's resolver.

On the contrary, this can be very effective.

For example, of the 10 attacks in the chart at https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns, seven were taken down in under 24 hours. The others were 3 and 10 days, and 5 weeks.

Thanks for the fast review, all!

On the contrary, this can be very effective.

I agree @hugovk. My thoughts are more along this section from the blog

Cooldowns are, obviously, not a panacea: some attackers will evade detection, and delaying the inclusion of potentially malicious dependencies by a week (or two) does not fundamentally alter the fact that supply chain security is a social trust problem, not a purely technical one. Still, an 80-90% reduction in exposure through a technique that is free and easy seems hard to beat.

My main concern and motivating reason for "weakly" is that we're relying on both detection to have happened and for this to be reported and properly dealt with by conda-forge. I have no doubt that conda-forge/core takes security seriously (they obviously do), but they do emphasize

conda-forge packages are built by strangers on the internet (our wonderful feedstock maintainers!) and are not suitable for use cases that require secure software provenance.

and we currently have no way of performing automated security audits of software environments if conda packages are installed (c.f. #general > ✔ Recommendations for security audits on conda packages? @ 💬). I think that until we can overcome this last issue that we can't really say more than "weakly", even if we're doing our best.