Skip to content

chill-out

Latest Version Python Versions Build Status

Have your dependencies chill out a bit while you make sure they are safe.

chill-hero

chill-out audits your lockfile for packages that are too fresh to trust. The lockfile is what actually gets installed, so that's where the risk lives: a dependency declared in pyproject.toml only matters once it shows up in uv.lock. Maintainer tokens get stolen, typosquatters grab package names, and plenty of releases are just broken. Cooldown is the practice of refusing any version that has been public for less than some grace period, long enough for the community to spot trouble and react.

The threat model is straightforward. Supply chain attacks (compromised maintainer accounts, hijacked publishing tokens) surface as a brand-new release. If your cooldown window is 14 days and you run chill-out before every deploy, a malicious release has to survive two weeks of public scrutiny before it can reach production. Transitives matter as much as direct deps, sometimes more, since you can't vet them by hand.

GitHub's Dependabot supports cooldown windows natively, but Dependabot only runs on the schedule you give it. chill-out runs on demand from your terminal, your CI, or your editor: it reads your lockfile end-to-end, asks the registry when each entry was published, and tells you which packages are still inside the cooldown window. When it can, it suggests an older version that is safely past its cooldown, or fixes your locked dependencies outright.

It works for both npm projects (via package.json and package-lock.json) and uv projects (via pyproject.toml and uv.lock).

Quick install

pip install chill-out

Then, in any Python or npm project:

chill-out check

Where to next

  • Quickstart walks through running your first check
  • Configuration explains how the cooldown thresholds are picked up
  • Ecosystems describes what each backend does
  • Comparison shows where chill-out fits relative to Renovate, Dependabot, and other tools
  • Case study walks a small project through ninety days of dependency churn with chill-out in the loop
  • CLI is the full command reference
  • Programmatic API shows how to use chill-out from your own code
  • GitHub Actions collects recipes for running chill-out in CI
  • Reference is the auto-generated API documentation