---
title: "Upstream publish date added for additional formats"
description: "You can now use the upstream publish date in Cloudsmith policies for Python, NuGet, Docker, Ruby, Go, Rust (Cargo), Conda, and Maven packages, expanding on the npm support added earlier this year. This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., three days) after release."
canonical_url: "https://cloudsmith.com/changelog/upstream-publish-date-added-for-additional-formats"
last_updated: "2026-02-20T20:16:54.888Z"
---
# Upstream publish date added for additional formats

You can now use the upstream publish date in Cloudsmith policies for Python, NuGet, Docker, Ruby, Go, Rust (Cargo), Conda, and Maven packages, expanding on the npm support [added earlier this year](https://cloudsmith.com/changelog/enforce-vetting-for-npm-packages-with-publish-date-policies). This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., three days) after release.

## Why this matters

Implementing policies that delay package usage is an effective safeguard against zero-day attacks. Enforcing a time lag before consuming a new package version gives the community time to discover vulnerabilities and allows intelligence feeds to update.

When used alongside a Cloudsmith policy that blocks known malicious packages, this "soak period" ensures a robust defense for your software supply chain.

For more information on how we source publish date metadata for each format, [see our documentation here](https://docs.cloudsmith.com/supply-chain-security/epm/rego#recipe-9-package-publish-date).

```json
{
  "_key": "e4c1edc58c88",
  "_type": "code",
  "code": "package cloudsmith\n\ndefault match := false\n\n# A package is matched if its upstream publish date is within the past N days.\nwithin_past_days := 3\nsupported_formats := {\"npm\", \"python\", \"nuget\",\"maven\",\"docker\", \"ruby\", \"go\", \"cargo\", \"conda\"}\n\nmatch if count(reason) != 0\n\nreason contains msg if {\n    pkg := input.v0.package\n    within_past_days_date := time.add_date(time.now_ns(), 0, 0, 0 - within_past_days)\n    publish_date := time.parse_rfc3339_ns(pkg.upstream_metadata.published_at)\n\n    # Match if the publish date comes after the date of the set number of days ago.\n    publish_date >= within_past_days_date\n    pkg.format in supported_formats\n\n    msg := sprintf(\"Package upstream publish date is %v (falls within the past %v days)\", [pkg.upstream_metadata.published_at, within_past_days])\n}\n",
  "filename": null,
  "language": "rego",
  "markDefs": null
}
```

**Package publish date is now available for npm, Python, NuGet, Docker, Ruby, Go, Rust, Conda, and Maven**. Policy as code is an early access feature; [check the docs to learn more](https://docs.cloudsmith.com/supply-chain-security/epm) and [contact us](https://cloudsmith.com/company/contact-us) to get access today.
