upd-cli 0.1.1__tar.gz → 0.1.2__tar.gz

{upd_cli-0.1.1 → upd_cli-0.1.2}/CHANGELOG.md

@@ -11,6 +11,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 
+
+## [0.1.2](https://github.com/rvben/upd/compare/v0.1.1...v0.1.2) - 2026-04-24
+
+### Added
+
+- **cache**: add optional versions field to CacheEntry for future list_versions caching ([1beb34d](https://github.com/rvben/upd/commit/1beb34dc030f160e3748dff9a63e71bfa1772043))
+- **output**: report held-back and skipped-by-cooldown packages ([3d1a2ce](https://github.com/rvben/upd/commit/3d1a2cef2ae31c59a87b417b074e0d672b7256d2))
+- **updater**: propagate cooldown policy to remaining updaters ([8e80f25](https://github.com/rvben/upd/commit/8e80f252339f022d90f8120694e529c68c3bcf90))
+- **updater**: apply cooldown policy in requirements updater ([5d6cfd3](https://github.com/rvben/upd/commit/5d6cfd32bfe87df7af86453476a93e2945f009ff))
+- **registry**: implement list_versions for GitHub releases ([5f6472b](https://github.com/rvben/upd/commit/5f6472b5d7c4394d59fbabfd4bd9a1d9b736a67a))
+- **registry**: implement list_versions for RubyGems ([1a1dda3](https://github.com/rvben/upd/commit/1a1dda31d73e0f25d8a73e6438aed7c4daadc007))
+- **registry**: implement list_versions for Go module proxy ([196fef6](https://github.com/rvben/upd/commit/196fef634b0ae3c53096222e8bbe3161d8b67a33))
+- **registry**: implement list_versions for crates.io ([8869dec](https://github.com/rvben/upd/commit/8869dec1a69148b5b3db44cc3393a05aaa2b01fb))
+- **registry**: implement list_versions for npm ([b23cd78](https://github.com/rvben/upd/commit/b23cd787e748dfc5404a8fd51981c67f858e1d5a))
+- **registry**: implement list_versions for PyPI ([9aa342c](https://github.com/rvben/upd/commit/9aa342c5c11ae504024aed5aa2d8930c66b4a6df))
+- **cli**: add --min-age flag for cooldown override ([b5bfb30](https://github.com/rvben/upd/commit/b5bfb304c39f6b8099aef3a066e2ef4ed17f606f))
+- **config**: show cooldown policy in --show-config ([9486257](https://github.com/rvben/upd/commit/9486257b22456e55e9af23709089a574cce262be))
+- **config**: add [cooldown] table with default and per-ecosystem overrides ([a9ff8e3](https://github.com/rvben/upd/commit/a9ff8e31050485056a9bb6e03f4d313df1262998))
+- **cooldown**: implement select() selection algorithm ([8b588bb](https://github.com/rvben/upd/commit/8b588bb1b42d84d696a7a17d8e97141a223351a1))
+- **cooldown**: add CooldownPolicy with precedence resolution ([ddba284](https://github.com/rvben/upd/commit/ddba284329dad87bf84cf566ecb487ef665408a1))
+- **cooldown**: add parse_duration for release-age config ([a7e67e0](https://github.com/rvben/upd/commit/a7e67e035764e4d905ace1dc4092f41c27510a5c))
+- **registry**: re-export VersionMeta from crate root ([b2cdd60](https://github.com/rvben/upd/commit/b2cdd6037c09110881f53db4992542e77596f6c3))
+- **registry**: add VersionMeta and list_versions trait method ([09ddbf9](https://github.com/rvben/upd/commit/09ddbf9c2b8f0546feafeb642f27547bed1882da))
+
+### Fixed
+
+- **cooldown**: harden selection against real-world constraints and per-file policy ([a284ea4](https://github.com/rvben/upd/commit/a284ea497dcf3abf65fda2c7e7f6c0c03c3dd8e2))
+- **updater**: pass Poetry constraint to cooldown selection ([a0383e9](https://github.com/rvben/upd/commit/a0383e9167b2ef05cc4583aa23c1035d32268750))
+
 ## [0.1.1](https://github.com/rvben/upd/compare/v0.1.0...v0.1.1) - 2026-04-22
 
 ### Added

{upd_cli-0.1.1 → upd_cli-0.1.2}/Cargo.lock

@@ -17,6 +17,15 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "anstream"
 version = "1.0.0"
@@ -113,6 +122,12 @@ version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
 [[package]]
 name = "aws-lc-rs"
 version = "1.16.3"
@@ -199,6 +214,18 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
+[[package]]
+name = "chrono"
+version = "0.4.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
+dependencies = [
+ "iana-time-zone",
+ "num-traits",
+ "serde",
+ "windows-link",
+]
+
 [[package]]
 name = "clap"
 version = "4.6.1"
@@ -728,6 +755,30 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "iana-time-zone"
+version = "0.1.65"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "log",
+ "wasm-bindgen",
+ "windows-core",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "icu_collections"
 version = "2.1.1"
@@ -1030,6 +1081,15 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "num_cpus"
 version = "1.17.0"
@@ -1964,10 +2024,11 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "upd"
-version = "0.1.1"
+version = "0.1.2"
 dependencies = [
  "anyhow",
  "async-trait",
+ "chrono",
  "clap",
  "colored",
  "directories",
@@ -2143,12 +2204,65 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "windows-core"
+version = "0.62.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
+dependencies = [
+ "windows-implement",
+ "windows-interface",
+ "windows-link",
+ "windows-result",
+ "windows-strings",
+]
+
+[[package]]
+name = "windows-implement"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "windows-interface"
+version = "0.59.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
+[[package]]
+name = "windows-result"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
+dependencies = [
+ "windows-link",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.45.0"

{upd_cli-0.1.1 → upd_cli-0.1.2}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "upd"
-version = "0.1.1"
+version = "0.1.2"
 edition = "2024"
 rust-version = "1.95.0"
 description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"
@@ -60,6 +60,7 @@ colored = "3.1.1"
 async-trait = "0.1.89"
 futures = "0.3.32"
 url = "2.5"
+chrono = { version = "0.4", default-features = false, features = ["serde", "clock"] }
 
 [dev-dependencies]
 tempfile = "3.27.0"

{upd_cli-0.1.1 → upd_cli-0.1.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: upd-cli
-Version: 0.1.1
+Version: 0.1.2
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
@@ -469,6 +469,51 @@ upd --verbose
 # pyproject.toml:13: Skipped internal-utils 1.0.0 (ignored)
 ```
 
+## Cooldown (minimum release age)
+
+Hold back updates to versions that have been public for less than N days.
+Reduces exposure to supply-chain attacks that rely on freshly published
+malicious versions being installed before detection. Modelled after
+Renovate's `minimumReleaseAge` / Dependabot's `cooldown`.
+
+Enable in `.updrc.toml`:
+
+```toml
+[cooldown]
+default = "7d"           # applies to every ecosystem unless overridden
+
+[cooldown.ecosystem]
+npm = "14d"              # stricter for npm
+pypi = "14d"
+"crates.io" = "3d"
+```
+
+Duration syntax: `<integer><unit>` where unit is `s`, `m`, `h`, `d`, `w`.
+A bare `0` disables cooldown.
+
+Override from the CLI for one-off runs:
+
+```text
+upd --min-age 14d         # use 14 days regardless of config
+upd --min-age 0           # disable cooldown entirely for this run
+```
+
+**How it works:** when the latest version is still inside the cooldown
+window, `upd` updates to the newest version that *is* old enough. If nothing
+newer is old enough yet, the package is held back. Output marks these
+packages explicitly:
+
+```text
+requirements.txt: Updated requests 2.28.0 → 2.31.0
+package.json: Held back lodash 4.17.20 → 4.17.21 (4.17.22 released 2d ago, cooldown 7d)
+package.json: Skipped express (only newer version 4.19.0 released 1d ago, cooldown 7d)
+```
+
+**Supported ecosystems:** PyPI, npm, crates.io, Go modules, RubyGems,
+GitHub releases (covers GitHub Actions, pre-commit, Mise). NuGet and
+Terraform Registry do not expose per-version publish dates we can
+consume today; cooldown is reported as unavailable for those files.
+
 ## Caching
 
 Version lookups are cached for 24 hours in:

{upd_cli-0.1.1 → upd_cli-0.1.2}/README.md

@@ -446,6 +446,51 @@ upd --verbose
 # pyproject.toml:13: Skipped internal-utils 1.0.0 (ignored)
 ```
 
+## Cooldown (minimum release age)
+
+Hold back updates to versions that have been public for less than N days.
+Reduces exposure to supply-chain attacks that rely on freshly published
+malicious versions being installed before detection. Modelled after
+Renovate's `minimumReleaseAge` / Dependabot's `cooldown`.
+
+Enable in `.updrc.toml`:
+
+```toml
+[cooldown]
+default = "7d"           # applies to every ecosystem unless overridden
+
+[cooldown.ecosystem]
+npm = "14d"              # stricter for npm
+pypi = "14d"
+"crates.io" = "3d"
+```
+
+Duration syntax: `<integer><unit>` where unit is `s`, `m`, `h`, `d`, `w`.
+A bare `0` disables cooldown.
+
+Override from the CLI for one-off runs:
+
+```text
+upd --min-age 14d         # use 14 days regardless of config
+upd --min-age 0           # disable cooldown entirely for this run
+```
+
+**How it works:** when the latest version is still inside the cooldown
+window, `upd` updates to the newest version that *is* old enough. If nothing
+newer is old enough yet, the package is held back. Output marks these
+packages explicitly:
+
+```text
+requirements.txt: Updated requests 2.28.0 → 2.31.0
+package.json: Held back lodash 4.17.20 → 4.17.21 (4.17.22 released 2d ago, cooldown 7d)
+package.json: Skipped express (only newer version 4.19.0 released 1d ago, cooldown 7d)
+```
+
+**Supported ecosystems:** PyPI, npm, crates.io, Go modules, RubyGems,
+GitHub releases (covers GitHub Actions, pre-commit, Mise). NuGet and
+Terraform Registry do not expose per-version publish dates we can
+consume today; cooldown is reported as unavailable for those files.
+
 ## Caching
 
 Version lookups are cached for 24 hours in:

{upd_cli-0.1.1 → upd_cli-0.1.2}/src/cache.rs

@@ -1,4 +1,4 @@
-use crate::registry::Registry;
+use crate::registry::{Registry, VersionMeta};
 use anyhow::Result;
 use async_trait::async_trait;
 use directories::ProjectDirs;
@@ -35,6 +35,21 @@ pub struct Cache {
 pub struct CacheEntry {
     pub version: String,
     pub fetched_at: u64, // Unix timestamp
+    /// Full per-version metadata fetched via `list_versions`, when available.
+    /// Older cache files predate this field and deserialize with `None`.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub versions: Option<Vec<CachedVersionMeta>>,
+}
+
+/// Cache-friendly mirror of [`crate::registry::VersionMeta`]. `published_at`
+/// is stored as a Unix timestamp (seconds) so the cache file stays stable
+/// across `chrono` serde format changes.
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct CachedVersionMeta {
+    pub version: String,
+    pub published_at: Option<i64>,
+    pub yanked: bool,
+    pub prerelease: bool,
 }
 
 impl Cache {
@@ -121,6 +136,7 @@ impl Cache {
             CacheEntry {
                 version,
                 fetched_at,
+                versions: None,
             },
         );
     }
@@ -255,6 +271,10 @@ impl<R: Registry> Registry for CachedRegistry<R> {
         Ok(version)
     }
 
+    async fn list_versions(&self, package: &str) -> Result<Vec<VersionMeta>> {
+        self.inner.list_versions(package).await
+    }
+
     fn name(&self) -> &'static str {
         self.inner.name()
     }
@@ -320,6 +340,7 @@ mod tests {
             CacheEntry {
                 version: "0.1.0".to_string(),
                 fetched_at: expired_time,
+                versions: None,
             },
         );
 
@@ -346,6 +367,7 @@ mod tests {
             CacheEntry {
                 version: "0.1.0".to_string(),
                 fetched_at: expired_time,
+                versions: None,
             },
         );
 
@@ -405,6 +427,66 @@ mod tests {
         assert_eq!(restored.get("npm", "lodash"), Some("4.17.21".to_string()));
     }
 
+    #[test]
+    fn test_cache_entry_deserialises_without_versions_field() {
+        // Older cache files predate the `versions` field and must still
+        // deserialise so upgrades do not invalidate on-disk caches.
+        let json = r#"{"version":"1.2.3","fetched_at":1700000000}"#;
+        let entry: CacheEntry = serde_json::from_str(json).unwrap();
+        assert_eq!(entry.version, "1.2.3");
+        assert_eq!(entry.fetched_at, 1_700_000_000);
+        assert!(entry.versions.is_none(), "missing field defaults to None");
+    }
+
+    #[test]
+    fn test_cache_roundtrip_with_versions() {
+        let entry = CacheEntry {
+            version: "2.0.0".to_string(),
+            fetched_at: 1_700_000_000,
+            versions: Some(vec![
+                CachedVersionMeta {
+                    version: "2.0.0".to_string(),
+                    published_at: Some(1_700_000_000),
+                    yanked: false,
+                    prerelease: false,
+                },
+                CachedVersionMeta {
+                    version: "1.9.0".to_string(),
+                    published_at: None,
+                    yanked: true,
+                    prerelease: false,
+                },
+            ]),
+        };
+        let json = serde_json::to_string(&entry).unwrap();
+        let back: CacheEntry = serde_json::from_str(&json).unwrap();
+        assert_eq!(back.version, entry.version);
+        let metas = back.versions.expect("versions must round-trip");
+        assert_eq!(metas.len(), 2);
+        assert!(metas.iter().any(|m| m.yanked));
+        assert!(
+            metas
+                .iter()
+                .any(|m| m.version == "2.0.0" && m.published_at == Some(1_700_000_000))
+        );
+    }
+
+    #[test]
+    fn test_cache_entry_skips_serializing_none_versions() {
+        // Ensure the new field is omitted from JSON when absent, keeping
+        // file size small and preserving compatibility with older readers.
+        let entry = CacheEntry {
+            version: "1.0.0".to_string(),
+            fetched_at: 1_700_000_000,
+            versions: None,
+        };
+        let json = serde_json::to_string(&entry).unwrap();
+        assert!(
+            !json.contains("versions"),
+            "versions field must be omitted when None, got: {json}"
+        );
+    }
+
     #[test]
     fn test_cache_file_operations() {
         use tempfile::tempdir;

{upd_cli-0.1.1 → upd_cli-0.1.2}/src/cli.rs

@@ -161,6 +161,17 @@ pub struct Cli {
     #[arg(long, global = true)]
     pub show_config: bool,
 
+    /// Minimum release age before a version is eligible for update.
+    ///
+    /// Overrides the `[cooldown]` config for this run. Setting `--min-age 0`
+    /// disables cooldown entirely. Accepts durations like `72h`, `7d`, `2w`.
+    ///
+    /// Example: `upd --min-age 7d` only updates to versions published at least
+    /// 7 days ago. Protects against supply-chain attacks that rely on freshly
+    /// published malicious packages being installed before detection.
+    #[arg(long, global = true, value_name = "DURATION")]
+    pub min_age: Option<String>,
+
     /// Update only the named package(s), skipping all others.
     ///
     /// Comma-separated or repeatable. Exact case-sensitive match.
@@ -275,6 +286,7 @@ mod tests {
         assert!(!cli.apply);
         assert!(cli.paths.is_empty());
         assert!(cli.command.is_none());
+        assert!(cli.min_age.is_none());
     }
 
     #[test]
@@ -804,4 +816,29 @@ mod tests {
             "align --help should describe monorepo use-case; got:\n{align_help}"
         );
     }
+
+    #[test]
+    fn test_cli_parses_min_age() {
+        let cli = Cli::try_parse_from(["upd", "--min-age", "7d"]).unwrap();
+        assert_eq!(cli.min_age.as_deref(), Some("7d"));
+    }
+
+    #[test]
+    fn test_cli_min_age_zero_for_disable() {
+        let cli = Cli::try_parse_from(["upd", "--min-age", "0"]).unwrap();
+        assert_eq!(cli.min_age.as_deref(), Some("0"));
+    }
+
+    #[test]
+    fn test_cli_min_age_default_none() {
+        let cli = Cli::try_parse_from(["upd"]).unwrap();
+        assert!(cli.min_age.is_none());
+    }
+
+    #[test]
+    fn test_cli_min_age_is_global_across_subcommands() {
+        let cli = Cli::try_parse_from(["upd", "update", "--min-age", "14d", "path1"]).unwrap();
+        assert_eq!(cli.min_age.as_deref(), Some("14d"));
+        assert!(matches!(cli.command, Some(Command::Update { .. })));
+    }
 }