---
title: "Cooldown policies now prevent builds from seeing non-compliant packages"
description: "A cooldown policy now filters non-compliant package versions from the repository index before package managers ever see them. This provides both security control and a better developer experience: clean resolution to the next compliant version, no build failures, and no waiting."
canonical_url: "https://cloudsmith.com/changelog/cooldown-policies-now-prevent-builds-from-seeing-non-compliant-packages"
last_updated: "2026-06-02T09:09:28.476Z"
---
# Cooldown policies now prevent builds from seeing non-compliant packages

A cooldown policy now filters non-compliant package versions from the repository index before package managers ever see them. This provides both security control and a better developer experience: clean resolution to the next compliant version, no build failures, and no waiting.

## **Why this matters**

Malicious packages typically live in public registries for hours before detection. In that window, automated CI/CD pipelines can pull them straight into customer builds. A package cooldown policy closes that gap by enforcing a minimum age requirement on packages before they're available to install.

Previously, cooldowns were enforced at the point of download, meaning a build requesting a version still within the cooldown window would fail to resolve. Now, we’ve moved enforcement to the repository index, filtering out non-compliant versions before package managers see them. Builds resolve cleanly to the first available compliant version, with no iterative build failures.

With Cloudsmith’s cooldown policies:

- **Non-compliant package versions are filtered automatically:** Package managers only ever see versions that meet your policy requirements.
- **Builds just work:** Builds succeed without retries, failures, or workarounds. Developers don't need to worry about the impact of having a cooldown policy in effect.
- **Enforcement is server side and enterprise wide:** Security teams configure policies once in Cloudsmith, applied consistently across every consumer of the registry, no per-client configuration required.



## **How it works**

1. Define a **cooldown period** (for example, 3 days) for the repositories and formats you want to protect.
2. When a package manager requests the index, Cloudsmith evaluates every version against the policy in real time.
3. Versions that **do not meet the age requirement** are filtered from the index, and the package manager **automatically resolves to the first available compliant version**.

```json
{
  "_key": "f113b277b5eb",
  "_type": "image",
  "alt": "The Edit policy view of a Cloudsmith cooldown policy.",
  "asset": {
    "_createdAt": "2026-06-02T09:05:23Z",
    "_id": "image-a94751117e34f365545ae011b9502ea48e4a4f05-2288x1454-png",
    "_rev": "j4ReSt2YzTt4zemb027zWM",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2026-06-02T09:05:23Z",
    "assetId": "a94751117e34f365545ae011b9502ea48e4a4f05",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "VzONF3~qkCITt7?bIUWBt7WB-;IUayt7WCofofa|f6az",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.5735900962861074,
        "height": 1454,
        "width": 2288
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAABYlAAAWJQFJUiTwAAACuklEQVR4nH2SW2tcVRiG932SOe49M5mmmUm9kLSmrVUEUfwZ1toYzWCj0kq96DF6YcFfoIiCV1bxb3ijIG1CUjMJOkTMwRhDEme6j2uvw35k78xULeKCh7XWxXq/5/tYVhwrQiEQUqKNIUmSf0Cfo/t/LWPAjxL+9DSBSLDCKMb1AtwgJIolUmmU1v3dZEV0uuvHix0Rq4TdrqazI9nraaw0xI8EQSSywFiqzDaWEqV0FmRMkvG4Y3rXBtzIcOBqvMhgRUoSiJgwlgipiJUmlqmhemTpByEbm1u0V9dYWWmz0l79Fz+211j9qcPG1m9HhocPffa7Hl0vxAtT43Suiig+orP+K598+jlzb19mtjXX51KfOWbffIer127z8WdfYHlBxPr2HzzobPDz5i57XR83VARCE8WaMNbcX3zAG623aE48yWi9QbV2HKdSx6kco1Idw6keY/Kps8y0LmH1vIC1X7a5t9Khvb7Ffs8njE027BQhDfcWlnl1epZavUnRrpEvOgyPFBkaKTKcKzE0nGe8cYKXX7mIlc4ubXfvsEfX9RGxQpkEpQcYFhaXmZ5pUT8+gV0dpeRUyRdtRgplcgU7C280TnA+DUwfpW2lMxNSE6u/7bKzNNxfXOK111uMjU/g1OqUKzUKJZtcFlhmaKSQGWaB6cOuL9nrioz9h5IDV3E4wFN898MSF2fSwCbOaB27llpWKNoOBdshVyjRaD7B+QvTWEImWcj2gWB7X7BzKPm9q9gd0FN8+/0SF6ZnGR0bp1ytUapUKZRtcqUy+ZLNcL7IeHPQsoFAGNxQ44Ym+5y+SPoYPGFYWF7l3feu8exzz3P66WeYOnuOk1NnmDx1mslTZ5g8OcULL77E5StXsUwCSv8/m1s73P3qG+Y/+JCbt97nxq15rt+c5/qNAbe5c+cjvrz7NX8BmyslW48CxVQAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1f2d37",
          "foreground": "#fff",
          "population": 0.8,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#254056",
          "foreground": "#fff",
          "population": 0.02,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#d9e4f2",
          "foreground": "#000",
          "population": 3.05,
          "title": "#000"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c3ceda",
          "foreground": "#000",
          "population": 1.43,
          "title": "#000"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#d9e4f2",
          "foreground": "#000",
          "population": 3.05,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#6c7c84",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#4b8ef9",
          "foreground": "#fff",
          "population": 0.03,
          "title": "#fff"
        }
      },
      "thumbHash": "7PcVBICPhIlcl3dbl4c23yryvA=="
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot 2026-06-02 at 10.04.44.png",
    "path": "images/rafvlnhi/production/a94751117e34f365545ae011b9502ea48e4a4f05-2288x1454.png",
    "sha1hash": "a94751117e34f365545ae011b9502ea48e4a4f05",
    "size": 376229,
    "uploadId": "yZ6Kurkss3MzZvjg31EDJqFSOZIqDuod",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/a94751117e34f365545ae011b9502ea48e4a4f05-2288x1454.png"
  },
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```

### **Supported package formats**

- Python
- npm

****

## **Getting started**

This feature is available in Early Access for Ultra and Enterprise customers.

Check out our [documentation](https://docs.cloudsmith.com/supply-chain-security/epm/cooldown-policy) to learn more, or [contact us](/company/contact-us) to request early access or register interest in additional format support.
