exclude-newer: overrides for private registries #16813
Description
Summary
--exclude-newer is a very useful feature for implementing dependency cooldown policies but it requires package registries to support the JSON view with the PEP 700 upload-time attribute. This currently prevents usage on projects which use Azure or GitLab to host any dependencies.
It would be useful if there was a way to disable the exclude-newer mechanism for a single registry or package so it could be used for PyPI packages, which are usually the highest concern for the kind of attacks which a minimum age policy is designed to mitigate, while still allowing private registries to be used.
Example
Using the documentation example for a custom index, one option would be something like this:
[tool.uv]
exclude-newer = "…"
skip-exclude-newer-for-indexes = ["pytorch"]
[[tool.uv.index]]
name = "pytorch"
url = "https://download.pytorch.org/whl/cpu"… or perhaps to avoid that somewhat ugly name:
[tool.uv]
exclude-newer = "…"
[[tool.uv.index]]
name = "pytorch"
url = "https://download.pytorch.org/whl/cpu"
skip-exclude-newer-check = true… or perhaps this would be best as a per-package override requiring you to manually opt-in for each package:
[tool.uv]
exclude-newer = "…"
exclude-newer-package = { pytorch = "ALLOW_ANY" } # This magic value can't conflict with an existing date
# or, to make it more explicit that you only want to trust one source:
exclude-newer-package = { pytorch = { allow-latest-from-registry = "pytorch" } }