Skip to main content

Takumi Guard for PyPI Adds a 3-Day Quarantine on New Packages

· 2 min read
Deividas Turskis
Deividas Turskis
Software Engineer @ GMO Flatt Security Inc.

Takumi Guard for PyPI now applies a 3-day quarantine to newly published packages.

When a new version appears on PyPI, it is held for 72 hours before being made available through Takumi Guard. This gives security analysis systems time to detect malicious packages before they are installed in your projects.

Background

Supply chain attacks targeting PyPI are increasing in both volume and sophistication. Attackers publish malicious packages and rely on automated tooling to pull them into projects within minutes — often before anyone has a chance to review them.

The majority of malicious packages are detected and removed within a few days of publication. By introducing a short waiting period, the quarantine significantly reduces the window of exposure.

This approach — known as a dependency cooldown — has been widely adopted across the JavaScript ecosystem (npm, pnpm, yarn, Bun). Takumi Guard brings the same protection to Python, working transparently with any package manager.

How It Works

From the developer's perspective, pip install works exactly as before — it installs the latest version that has passed the quarantine window.

# Example: package has versions 1.0.0 (5 days old) and 1.1.0 (1 day old)
$ pip install --index-url https://pypi.flatt.tech/simple/ example-package

# pip installs 1.0.0 (passes quarantine)
# 1.1.0 is not yet available (published less than 72 hours ago)

After 72 hours, version 1.1.0 becomes available automatically — no action needed.

ScenarioBehavior
Package has older and newer versionsNewer versions (< 72h) are hidden; pip installs the latest available version
All versions are newer than 72hPackage is temporarily unavailable
Package has only old versionsNo change; all versions available as usual

No Configuration Required

If you are already using Takumi Guard for PyPI (https://pypi.flatt.tech/simple/), the quarantine is applied automatically. No changes to your setup are needed.

export PIP_INDEX_URL=https://pypi.flatt.tech/simple/
pip install requests  # works as before

The quarantine works with pip, uv, poetry, and any other PEP 503-compatible package manager — no per-tool configuration needed.