Using CEL's now() to enforce dependency cooldown periods - block packages published in the last N hours

Supply chain attacks often rely on speed that is publish a malicious version, let automated builds pull it before detection catches up. One defense is a cooldown period : refuse any dependency published within the last N hours. CEL (Common Expression Language) doesn't expose now() by default since it's designed to be hermetic. This article actually walks through registering a custom now() function binding that returns the current UTC timestamp, using duration arithmetic to compare against package_published_at , and using the has() macro to handle packages so new they haven't been indexed yet - which is the edge case that will bite you if you miss it. submitted by /u/BattleRemote3157 [link] [comments]