You can now use the upstream publish date in Cloudsmith policies for Python, NuGet, Docker, Ruby, Go, Rust (Cargo), Conda, and Maven packages, expanding on the npm support added earlier this year. This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., three days) after release.

Why this matters

Implementing policies that delay package usage is an effective safeguard against zero-day attacks. Enforcing a time lag before consuming a new package version gives the community time to discover vulnerabilities and allows intelligence feeds to update.

When used alongside a Cloudsmith policy that blocks known malicious packages, this "soak period" ensures a robust defense for your software supply chain.

For more information on how we source publish date metadata for each format, see our documentation here.

package cloudsmith

default match := false

# A package is matched if its upstream publish date is within the past N days.
within_past_days := 3
supported_formats := {"npm", "python", "nuget","maven","docker", "ruby", "go", "cargo", "conda"}

match if count(reason) != 0

reason contains msg if {
    pkg := input.v0.package
    within_past_days_date := time.add_date(time.now_ns(), 0, 0, 0 - within_past_days)
    publish_date := time.parse_rfc3339_ns(pkg.upstream_metadata.published_at)

    # Match if the publish date comes after the date of the set number of days ago.
    publish_date >= within_past_days_date
    pkg.format in supported_formats

    msg := sprintf("Package upstream publish date is %v (falls within the past %v days)", [pkg.upstream_metadata.published_at, within_past_days])
}

Package publish date is now available for npm, Python, NuGet, Docker, Ruby, Go, Rust, Conda, and Maven. Policy as code is an early access feature; check the docs to learn more and contact us to get access today.