# Takumi Guard for PyPI Adds a 3-Day Quarantine on New Packages

Takumi Guard for PyPI now applies a **3-day quarantine** to newly published packages.

When a new version appears on PyPI, it is held for 72 hours before being made available through Takumi Guard. This gives security analysis systems time to detect malicious packages **before they are installed in your projects**.

## Background

Supply chain attacks targeting PyPI are increasing in both volume and sophistication. Attackers publish malicious packages and rely on automated tooling to pull them into projects within minutes — often before anyone has a chance to review them.

The majority of malicious packages are detected and removed within a few days of publication. By introducing a short waiting period, the quarantine significantly reduces the window of exposure.

This approach — known as a **dependency cooldown** — has been widely adopted across the JavaScript ecosystem (npm, pnpm, yarn, Bun). Takumi Guard brings the same protection to Python, working transparently with any package manager.

## How It Works

From the developer's perspective, `pip install` works exactly as before — it installs the latest version that has passed the quarantine window.

```
# Example: package has versions 1.0.0 (5 days old) and 1.1.0 (1 day old)
$ pip install --index-url https://pypi.flatt.tech/simple/ example-package

# pip installs 1.0.0 (passes quarantine)
# 1.1.0 is not yet available (published less than 72 hours ago)
```

After 72 hours, version 1.1.0 becomes available automatically — no action needed.

| Scenario                             | Behavior                                                                     |
| ------------------------------------ | ---------------------------------------------------------------------------- |
| Package has older and newer versions | Newer versions (< 72h) are hidden; pip installs the latest available version |
| All versions are newer than 72h      | Package is temporarily unavailable                                           |
| Package has only old versions        | No change; all versions available as usual                                   |

## No Configuration Required

If you are already using Takumi Guard for PyPI (`https://pypi.flatt.tech/simple/`), the quarantine is applied automatically. No changes to your setup are needed.

```bash
export PIP_INDEX_URL=https://pypi.flatt.tech/simple/
pip install requests  # works as before
```

The quarantine works with pip, uv, poetry, and any other PEP 503-compatible package manager — no per-tool configuration needed.