I learned, in the light of the axios compromise that a good deal of package managers support setting a minimum release age for packages:

~/.npmrc
min-release-age=7 # days
ignore-scripts=true

~/Library/Preferences/pnpm/rc
minimum-release-age=10080 # minutes

~/.bunfig.toml
[install]
minimumReleaseAge = 604800 # seconds

For Python with uv (which by now should be the default):

~/.config/uv/uv.toml
exclude-newer = "7 days"

Alas, pip only supports filtering by date, and only in version v26.0 and later, with:
pip install --uploaded-prior-to=2026-03-31 SomePackage.

That is a bit annoying so a shortcut for the 7-day gating would be
pip install --uploaded-prior-to=$(date -v-7d -u "+%Y-%m-%d") SomePackage.

There’s also pip-time-machine which helps you find out version for packages before a certain date.