ENG-9664: pin workspace dependency resolution with uv exclude-newer

[adhami3310]

What

Add exclude-newer = "7 days" to the root [tool.uv] table so dependency resolution only considers package versions uploaded more than 7 days ago — more reproducible resolutions, avoids picking up brand-new (possibly broken/yanked) releases.

• pyproject.toml: add exclude-newer = "7 days"; bump required-version to >=0.10 (the relative-duration form of exclude-newer requires a recent uv).
• uv.lock: adds an [options] block recording exclude-newer-span = "P7D" (no package version changes).

Why root-only

This is a workspace-root setting. Verified empirically that the cutoff is honored and applies to every workspace member (packages/*, docs/app, docs/package): resolution invoked from a member directory discovers the root config and produces an identical result, so it does not need to be duplicated per package.

Closes ENG-9664

[linear-code]

ENG-9664

[greptile-apps]

Greptile Summary

Adds exclude-newer = "7 days" to the root [tool.uv] table to protect against brand-new or potentially-yanked PyPI releases and improve resolution reproducibility across all workspace members. The uv.lock change is auto-generated and records exclude-newer-span = "P7D" with a backward-compat sentinel timestamp; no package versions are altered.

• pyproject.toml: adds exclude-newer = "7 days" and bumps required-version from >=0.7.0 to >=0.10; the relative-duration feature actually landed in 0.9.17, so the floor is slightly higher than necessary.
• uv.lock: gains a new [options] block reflecting the span setting; the exclude-newer = "0001-01-01T00:00:00Z" entry is harmless and intended for older-uv backward compatibility.

Confidence Score: 4/5

Safe to merge; the only change is a configuration flag and its auto-generated lockfile entry, with no code logic touched.

The required-version was bumped to >=0.10 while the feature it gates (exclude-newer relative durations) actually shipped in 0.9.17 — contributors on 0.9.17–0.9.x will be unexpectedly blocked from running any uv command in the repo until they upgrade. Otherwise the change is straightforward and low-risk.

pyproject.toml — the required-version floor is worth a second look.

Important Files Changed

Filename	Overview
pyproject.toml	Adds exclude-newer = "7 days" to [tool.uv] for supply-chain safety; bumps required-version to >=0.10, which is stricter than the minimum needed (feature landed in 0.9.17).
uv.lock	Auto-generated [options] block records exclude-newer-span = "P7D" and a sentinel exclude-newer = "0001-01-01T00:00:00Z" for backward-compat; no package versions changed.

_{Reviews (1): Last reviewed commit: "ENG-9664: pin workspace dependency resol..." | Re-trigger Greptile}

[greptile-apps]

The relative-duration form of exclude-newer was introduced in uv 0.9.17 (released 2025-12-09), not 0.10. Setting required-version = ">=0.10" unnecessarily blocks contributors who are on any 0.9.17–0.9.x release from running any uv command in this repo. Lowering the floor to >=0.9.17 honours the actual minimum while being less disruptive.

Suggested change

	required-version = ">=0.10"
	required-version = ">=0.9.17"

[codspeed-hq]

Merging this PR will not alter performance

✅ 24 untouched benchmarks

---

_{Comparing khaleel/eng-9664-pin-workspace-dependency-resolution-with-uv-exclude-newer (2d8d326) with main (dc9bfad)}