From 7e490958e505e5c7b52517d18bd3573cfe3eca16 Mon Sep 17 00:00:00 2001
From: Julian Risch <julian.risch@deepset.ai>
Date: Wed, 22 Apr 2026 12:35:49 +0200
Subject: [PATCH 1/7] chore: add uv exclude-newer and Dependabot cooldown as
 supply chain guardrails

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/dependabot.yml | 9 +++++++++
 pyproject.toml         | 8 ++++++++
 2 files changed, 17 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6778b0493a..b0ab927c90 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,12 @@ updates:
     directory: '/'
     schedule:
       interval: 'daily'
+    cooldown:
+      default-days: 1
+
+  - package-ecosystem: 'pip'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+    cooldown:
+      default-days: 1
diff --git a/pyproject.toml b/pyproject.toml
index 40a549bc96..1256a1fcbc 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -363,5 +363,13 @@ ignore = [
 "test/tools/test_parameters_schema_utils.py" = ["UP007"]
 "test/utils/test_type_serialization.py" = ["UP006", "UP007", "UP035", "UP045"]
 
+[tool.uv]
+# Exclude package versions published within the last 24 hours to protect against supply chain
+# attacks via compromised dependencies. uv resolves this relative to the current clock at
+# install/lock time, so no manual date updates are needed.
+# First-party packages are exempted so freshly published releases are always resolvable.
+exclude-newer = "24 hours"
+exclude-newer-package = { haystack-experimental = "0 days", haystack-pydoc-tools = "0 days" }
+
 [tool.coverage.run]
 omit = ["haystack/testing/*"]

From 4c9b0a4cdca627a03df0f3881ce86c54e33e029f Mon Sep 17 00:00:00 2001
From: Julian Risch <julian.risch@deepset.ai>
Date: Thu, 30 Apr 2026 08:27:45 +0200
Subject: [PATCH 2/7] chore: add pip --uploaded-prior-to P1D cooldown to all CI
 pip installs

Extends the supply chain hardening by passing --uploaded-prior-to P1D
(pip 26.1 relative duration format) to every pip install <packages>
command across CI workflows, so packages published within the last 24
hours are excluded at install time.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/check_api_ref.yml                |  2 +-
 .../workflows/docs-website-test-docs-snippets.yml  |  4 ++--
 .github/workflows/docs_search_sync.yml             |  2 +-
 .github/workflows/docusaurus_sync.yml              |  2 +-
 .github/workflows/e2e.yml                          |  2 +-
 .github/workflows/github_release.yml               |  2 +-
 .github/workflows/license_compliance.yml           |  2 +-
 .github/workflows/nightly_testpypi_release.yml     |  2 +-
 .github/workflows/pypi_release.yml                 |  2 +-
 .github/workflows/release.yml                      |  2 +-
 .github/workflows/release_notes.yml                |  2 +-
 .github/workflows/slow.yml                         |  2 +-
 .github/workflows/tests.yml                        | 14 +++++++-------
 13 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/check_api_ref.yml b/.github/workflows/check_api_ref.yml
index 00c671c6b6..14a7a54e8d 100644
--- a/.github/workflows/check_api_ref.yml
+++ b/.github/workflows/check_api_ref.yml
@@ -65,7 +65,7 @@ jobs:
 
       - name: Install Hatch
         if: steps.changed.outputs.needs_check == 'true'
-        run: pip install hatch
+        run: pip install hatch --uploaded-prior-to P1D
 
       - name: Generate API references
         if: steps.changed.outputs.needs_check == 'true'
diff --git a/.github/workflows/docs-website-test-docs-snippets.yml b/.github/workflows/docs-website-test-docs-snippets.yml
index 16864c84dd..8557e671b4 100644
--- a/.github/workflows/docs-website-test-docs-snippets.yml
+++ b/.github/workflows/docs-website-test-docs-snippets.yml
@@ -38,7 +38,7 @@ jobs:
           python-version: '3.11'
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
 
       - name: Generate API reference for Docusaurus
         run: hatch run docs
@@ -46,7 +46,7 @@ jobs:
       - name: Install base dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install requests toml
+          pip install requests toml --uploaded-prior-to P1D
 
       - name: Run snippet tests (verbose)
         shell: bash
diff --git a/.github/workflows/docs_search_sync.yml b/.github/workflows/docs_search_sync.yml
index 75c9b17e84..ea3ea6b1c2 100644
--- a/.github/workflows/docs_search_sync.yml
+++ b/.github/workflows/docs_search_sync.yml
@@ -38,7 +38,7 @@ jobs:
       - name: Install script dependencies
         # sniffio is needed because of https://github.com/deepset-ai/deepset-cloud-sdk/issues/286
         # we pin pyrate-limiter due to https://github.com/deepset-ai/deepset-cloud-sdk/issues/295
-        run: pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4"
+        run: pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4" --uploaded-prior-to P1D
 
       - name: Update new docs to Search pipeline and remove outdated docs
         env:
diff --git a/.github/workflows/docusaurus_sync.yml b/.github/workflows/docusaurus_sync.yml
index 7608187fcd..824daf4901 100644
--- a/.github/workflows/docusaurus_sync.yml
+++ b/.github/workflows/docusaurus_sync.yml
@@ -30,7 +30,7 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
 
       - name: Generate API reference for Docusaurus
         run: hatch run docs
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 9cae97d6db..04d877a48e 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -34,7 +34,7 @@ jobs:
         python-version: "${{ env.PYTHON_VERSION }}"
 
     - name: Install Hatch
-      run: pip install hatch==${{ env.HATCH_VERSION }}
+      run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
 
     - name: Run tests
       run: hatch run e2e:test
diff --git a/.github/workflows/github_release.yml b/.github/workflows/github_release.yml
index 4a233a8104..44ff783736 100644
--- a/.github/workflows/github_release.yml
+++ b/.github/workflows/github_release.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Install reno
         run: |
           python -m pip install --upgrade pip
-          pip install "reno<5"
+          pip install "reno<5" --uploaded-prior-to P1D
 
       # Remove next version rc0 tag in the CI environment to prevent reno from assigning notes to future releases.
       # This ensures release notes are correctly aggregated for the current version.
diff --git a/.github/workflows/license_compliance.yml b/.github/workflows/license_compliance.yml
index bd1b0c97e6..38d19dc659 100644
--- a/.github/workflows/license_compliance.yml
+++ b/.github/workflows/license_compliance.yml
@@ -29,7 +29,7 @@ jobs:
 
       - name: Get direct dependencies
         run: |
-          pip install toml
+          pip install toml --uploaded-prior-to P1D
           python .github/utils/pyproject_to_requirements.py pyproject.toml > ${{ env.REQUIREMENTS_FILE }}
 
       - name: Check Licenses
diff --git a/.github/workflows/nightly_testpypi_release.yml b/.github/workflows/nightly_testpypi_release.yml
index 7f2a5e610a..34ab5e2d73 100644
--- a/.github/workflows/nightly_testpypi_release.yml
+++ b/.github/workflows/nightly_testpypi_release.yml
@@ -36,7 +36,7 @@ jobs:
           echo "Building haystack-ai version: ${NIGHTLY_VERSION}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
 
       - name: Build Haystack
         run: hatch build
diff --git a/.github/workflows/pypi_release.yml b/.github/workflows/pypi_release.yml
index ef92315463..aba71b514c 100644
--- a/.github/workflows/pypi_release.yml
+++ b/.github/workflows/pypi_release.yml
@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
 
       - name: Build Haystack
         run: hatch build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 08843b40f0..e980591c79 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -175,7 +175,7 @@ jobs:
           python-version: "3.13"
 
       - name: Install tomlkit
-        run: pip install tomlkit
+        run: pip install tomlkit --uploaded-prior-to P1D
 
       - name: Update haystack-ai in uv.lock
         run: python haystack/.github/utils/update_haystack_dc_custom_nodes.py "${{ env.VERSION }}" deepset-cloud-custom-nodes/uv.lock
diff --git a/.github/workflows/release_notes.yml b/.github/workflows/release_notes.yml
index 268e41e2c2..3c700141ac 100644
--- a/.github/workflows/release_notes.yml
+++ b/.github/workflows/release_notes.yml
@@ -51,7 +51,7 @@ jobs:
       - name: Verify release notes formatting
         if: steps.changed-files.outputs.any_changed == 'true' && !contains( github.event.pull_request.labels.*.name, 'ignore-for-release-notes')
         run: |
-          pip install "reno<5"
+          pip install "reno<5" --uploaded-prior-to P1D
           reno lint .  # it is not possible to pass a list of files to reno lint
 
       - name: Check reStructuredText code formatting
diff --git a/.github/workflows/slow.yml b/.github/workflows/slow.yml
index 79081c031f..90add6904d 100644
--- a/.github/workflows/slow.yml
+++ b/.github/workflows/slow.yml
@@ -139,7 +139,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
 
       - name: Run Tika
         if: matrix.os == 'ubuntu-latest'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index daddef7659..fb7261913f 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -78,7 +78,7 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
 
       - name: Ruff - check format and linting
         run: hatch run fmt-check
@@ -97,7 +97,7 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }}
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
 
       - name: Check imports
         run: hatch run python .github/utils/check_imports.py
@@ -125,7 +125,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Run
@@ -177,7 +177,7 @@ jobs:
         id: hatch
         if: steps.files.outputs.any_changed == 'true'
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Mypy
@@ -202,7 +202,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
 
@@ -228,7 +228,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -260,7 +260,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }}
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Run

From 908c009dc0651a6e39e3dc1871f61d0dd17d7184 Mon Sep 17 00:00:00 2001
From: Julian Risch <julian.risch@deepset.ai>
Date: Thu, 30 Apr 2026 08:51:13 +0200
Subject: [PATCH 3/7] fix: use --uploaded-prior-to=P1D syntax for pip cooldown

pip 26.1 requires the value to be joined with = rather than a space
for the relative duration format to be parsed correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/check_api_ref.yml                |  2 +-
 .../workflows/docs-website-test-docs-snippets.yml  |  4 ++--
 .github/workflows/docs_search_sync.yml             |  2 +-
 .github/workflows/docusaurus_sync.yml              |  2 +-
 .github/workflows/e2e.yml                          |  2 +-
 .github/workflows/github_release.yml               |  2 +-
 .github/workflows/license_compliance.yml           |  2 +-
 .github/workflows/nightly_testpypi_release.yml     |  2 +-
 .github/workflows/pypi_release.yml                 |  2 +-
 .github/workflows/release.yml                      |  2 +-
 .github/workflows/release_notes.yml                |  2 +-
 .github/workflows/slow.yml                         |  2 +-
 .github/workflows/tests.yml                        | 14 +++++++-------
 13 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/check_api_ref.yml b/.github/workflows/check_api_ref.yml
index 14a7a54e8d..b40a9197e2 100644
--- a/.github/workflows/check_api_ref.yml
+++ b/.github/workflows/check_api_ref.yml
@@ -65,7 +65,7 @@ jobs:
 
       - name: Install Hatch
         if: steps.changed.outputs.needs_check == 'true'
-        run: pip install hatch --uploaded-prior-to P1D
+        run: pip install hatch --uploaded-prior-to=P1D
 
       - name: Generate API references
         if: steps.changed.outputs.needs_check == 'true'
diff --git a/.github/workflows/docs-website-test-docs-snippets.yml b/.github/workflows/docs-website-test-docs-snippets.yml
index 8557e671b4..c5f1b073c2 100644
--- a/.github/workflows/docs-website-test-docs-snippets.yml
+++ b/.github/workflows/docs-website-test-docs-snippets.yml
@@ -38,7 +38,7 @@ jobs:
           python-version: '3.11'
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Generate API reference for Docusaurus
         run: hatch run docs
@@ -46,7 +46,7 @@ jobs:
       - name: Install base dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install requests toml --uploaded-prior-to P1D
+          pip install requests toml --uploaded-prior-to=P1D
 
       - name: Run snippet tests (verbose)
         shell: bash
diff --git a/.github/workflows/docs_search_sync.yml b/.github/workflows/docs_search_sync.yml
index ea3ea6b1c2..71cf28f356 100644
--- a/.github/workflows/docs_search_sync.yml
+++ b/.github/workflows/docs_search_sync.yml
@@ -38,7 +38,7 @@ jobs:
       - name: Install script dependencies
         # sniffio is needed because of https://github.com/deepset-ai/deepset-cloud-sdk/issues/286
         # we pin pyrate-limiter due to https://github.com/deepset-ai/deepset-cloud-sdk/issues/295
-        run: pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4" --uploaded-prior-to P1D
+        run: pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4" --uploaded-prior-to=P1D
 
       - name: Update new docs to Search pipeline and remove outdated docs
         env:
diff --git a/.github/workflows/docusaurus_sync.yml b/.github/workflows/docusaurus_sync.yml
index 824daf4901..608053b354 100644
--- a/.github/workflows/docusaurus_sync.yml
+++ b/.github/workflows/docusaurus_sync.yml
@@ -30,7 +30,7 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Generate API reference for Docusaurus
         run: hatch run docs
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 04d877a48e..aa2b8c5be7 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -34,7 +34,7 @@ jobs:
         python-version: "${{ env.PYTHON_VERSION }}"
 
     - name: Install Hatch
-      run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+      run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
     - name: Run tests
       run: hatch run e2e:test
diff --git a/.github/workflows/github_release.yml b/.github/workflows/github_release.yml
index 44ff783736..64142e1580 100644
--- a/.github/workflows/github_release.yml
+++ b/.github/workflows/github_release.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Install reno
         run: |
           python -m pip install --upgrade pip
-          pip install "reno<5" --uploaded-prior-to P1D
+          pip install "reno<5" --uploaded-prior-to=P1D
 
       # Remove next version rc0 tag in the CI environment to prevent reno from assigning notes to future releases.
       # This ensures release notes are correctly aggregated for the current version.
diff --git a/.github/workflows/license_compliance.yml b/.github/workflows/license_compliance.yml
index 38d19dc659..c9e3853162 100644
--- a/.github/workflows/license_compliance.yml
+++ b/.github/workflows/license_compliance.yml
@@ -29,7 +29,7 @@ jobs:
 
       - name: Get direct dependencies
         run: |
-          pip install toml --uploaded-prior-to P1D
+          pip install toml --uploaded-prior-to=P1D
           python .github/utils/pyproject_to_requirements.py pyproject.toml > ${{ env.REQUIREMENTS_FILE }}
 
       - name: Check Licenses
diff --git a/.github/workflows/nightly_testpypi_release.yml b/.github/workflows/nightly_testpypi_release.yml
index 34ab5e2d73..a7d8899d98 100644
--- a/.github/workflows/nightly_testpypi_release.yml
+++ b/.github/workflows/nightly_testpypi_release.yml
@@ -36,7 +36,7 @@ jobs:
           echo "Building haystack-ai version: ${NIGHTLY_VERSION}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Build Haystack
         run: hatch build
diff --git a/.github/workflows/pypi_release.yml b/.github/workflows/pypi_release.yml
index aba71b514c..aa2a88ddd0 100644
--- a/.github/workflows/pypi_release.yml
+++ b/.github/workflows/pypi_release.yml
@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Build Haystack
         run: hatch build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e980591c79..92d63cdc33 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -175,7 +175,7 @@ jobs:
           python-version: "3.13"
 
       - name: Install tomlkit
-        run: pip install tomlkit --uploaded-prior-to P1D
+        run: pip install tomlkit --uploaded-prior-to=P1D
 
       - name: Update haystack-ai in uv.lock
         run: python haystack/.github/utils/update_haystack_dc_custom_nodes.py "${{ env.VERSION }}" deepset-cloud-custom-nodes/uv.lock
diff --git a/.github/workflows/release_notes.yml b/.github/workflows/release_notes.yml
index 3c700141ac..06fac6b06e 100644
--- a/.github/workflows/release_notes.yml
+++ b/.github/workflows/release_notes.yml
@@ -51,7 +51,7 @@ jobs:
       - name: Verify release notes formatting
         if: steps.changed-files.outputs.any_changed == 'true' && !contains( github.event.pull_request.labels.*.name, 'ignore-for-release-notes')
         run: |
-          pip install "reno<5" --uploaded-prior-to P1D
+          pip install "reno<5" --uploaded-prior-to=P1D
           reno lint .  # it is not possible to pass a list of files to reno lint
 
       - name: Check reStructuredText code formatting
diff --git a/.github/workflows/slow.yml b/.github/workflows/slow.yml
index 90add6904d..4ab1b0af9a 100644
--- a/.github/workflows/slow.yml
+++ b/.github/workflows/slow.yml
@@ -139,7 +139,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Run Tika
         if: matrix.os == 'ubuntu-latest'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index fb7261913f..d1acee488c 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -78,7 +78,7 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Ruff - check format and linting
         run: hatch run fmt-check
@@ -97,7 +97,7 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Check imports
         run: hatch run python .github/utils/check_imports.py
@@ -125,7 +125,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Run
@@ -177,7 +177,7 @@ jobs:
         id: hatch
         if: steps.files.outputs.any_changed == 'true'
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Mypy
@@ -202,7 +202,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
 
@@ -228,7 +228,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -260,7 +260,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
-          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to P1D
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
       - name: Run

From 23af8f7e3e3b6790a1a18d31db878f805eb0111b Mon Sep 17 00:00:00 2001
From: Julian Risch <julian.risch@deepset.ai>
Date: Thu, 30 Apr 2026 08:57:05 +0200
Subject: [PATCH 4/7] fix: upgrade pip before using --uploaded-prior-to=P1D

P1D relative duration requires pip>=26.1 (latest as of this commit).
CI runners ship with older pip, so each install step now upgrades pip
first to ensure the flag is recognised.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/check_api_ref.yml              |  4 +++-
 .../docs-website-test-docs-snippets.yml          |  4 +++-
 .github/workflows/docs_search_sync.yml           |  4 +++-
 .github/workflows/docusaurus_sync.yml            |  4 +++-
 .github/workflows/e2e.yml                        |  4 +++-
 .github/workflows/license_compliance.yml         |  1 +
 .github/workflows/nightly_testpypi_release.yml   |  4 +++-
 .github/workflows/project.yml                    | 16 ++++++++++++++++
 .github/workflows/pypi_release.yml               |  4 +++-
 .github/workflows/release.yml                    |  4 +++-
 .github/workflows/release_notes.yml              |  1 +
 .github/workflows/slow.yml                       |  1 +
 .github/workflows/tests.yml                      | 13 +++++++++++--
 13 files changed, 54 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/check_api_ref.yml b/.github/workflows/check_api_ref.yml
index b40a9197e2..8d69b81fec 100644
--- a/.github/workflows/check_api_ref.yml
+++ b/.github/workflows/check_api_ref.yml
@@ -65,7 +65,9 @@ jobs:
 
       - name: Install Hatch
         if: steps.changed.outputs.needs_check == 'true'
-        run: pip install hatch --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Generate API references
         if: steps.changed.outputs.needs_check == 'true'
diff --git a/.github/workflows/docs-website-test-docs-snippets.yml b/.github/workflows/docs-website-test-docs-snippets.yml
index c5f1b073c2..99aad642f7 100644
--- a/.github/workflows/docs-website-test-docs-snippets.yml
+++ b/.github/workflows/docs-website-test-docs-snippets.yml
@@ -38,7 +38,9 @@ jobs:
           python-version: '3.11'
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Generate API reference for Docusaurus
         run: hatch run docs
diff --git a/.github/workflows/docs_search_sync.yml b/.github/workflows/docs_search_sync.yml
index 71cf28f356..0cb6383b61 100644
--- a/.github/workflows/docs_search_sync.yml
+++ b/.github/workflows/docs_search_sync.yml
@@ -38,7 +38,9 @@ jobs:
       - name: Install script dependencies
         # sniffio is needed because of https://github.com/deepset-ai/deepset-cloud-sdk/issues/286
         # we pin pyrate-limiter due to https://github.com/deepset-ai/deepset-cloud-sdk/issues/295
-        run: pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4" --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4" --uploaded-prior-to=P1D
 
       - name: Update new docs to Search pipeline and remove outdated docs
         env:
diff --git a/.github/workflows/docusaurus_sync.yml b/.github/workflows/docusaurus_sync.yml
index 608053b354..2304903939 100644
--- a/.github/workflows/docusaurus_sync.yml
+++ b/.github/workflows/docusaurus_sync.yml
@@ -30,7 +30,9 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Generate API reference for Docusaurus
         run: hatch run docs
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index aa2b8c5be7..69632cd7ba 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -34,7 +34,9 @@ jobs:
         python-version: "${{ env.PYTHON_VERSION }}"
 
     - name: Install Hatch
-      run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
+      run: |
+        python -m pip install --upgrade pip
+        pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
     - name: Run tests
       run: hatch run e2e:test
diff --git a/.github/workflows/license_compliance.yml b/.github/workflows/license_compliance.yml
index c9e3853162..f8c4950764 100644
--- a/.github/workflows/license_compliance.yml
+++ b/.github/workflows/license_compliance.yml
@@ -29,6 +29,7 @@ jobs:
 
       - name: Get direct dependencies
         run: |
+          python -m pip install --upgrade pip
           pip install toml --uploaded-prior-to=P1D
           python .github/utils/pyproject_to_requirements.py pyproject.toml > ${{ env.REQUIREMENTS_FILE }}
 
diff --git a/.github/workflows/nightly_testpypi_release.yml b/.github/workflows/nightly_testpypi_release.yml
index a7d8899d98..a8bc59d4c6 100644
--- a/.github/workflows/nightly_testpypi_release.yml
+++ b/.github/workflows/nightly_testpypi_release.yml
@@ -36,7 +36,9 @@ jobs:
           echo "Building haystack-ai version: ${NIGHTLY_VERSION}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Build Haystack
         run: hatch build
diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml
index 5420df4150..8d8669e028 100644
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@@ -4,8 +4,24 @@ on:
   issues:
     types:
       - opened
+      - labeled
 
 jobs:
+  add-bug-label:
+    name: Add bug label on Bug type issues
+    runs-on: ubuntu-slim
+    if: >
+      github.event.issue.type.name == 'Bug' &&
+      (
+        github.event.action == 'opened' ||
+        contains(fromJSON('["P0", "P1", "P2", "P3"]'), github.event.label.name)
+      )
+    steps:
+      - name: Add bug label
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh issue edit ${{ github.event.issue.html_url }} --add-label "bug"
+
   add-to-project:
     name: Add new issues to project for triage
     runs-on: ubuntu-slim
diff --git a/.github/workflows/pypi_release.yml b/.github/workflows/pypi_release.yml
index aa2a88ddd0..75d3993eeb 100644
--- a/.github/workflows/pypi_release.yml
+++ b/.github/workflows/pypi_release.yml
@@ -22,7 +22,9 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Build Haystack
         run: hatch build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 92d63cdc33..045b51f45e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -175,7 +175,9 @@ jobs:
           python-version: "3.13"
 
       - name: Install tomlkit
-        run: pip install tomlkit --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install tomlkit --uploaded-prior-to=P1D
 
       - name: Update haystack-ai in uv.lock
         run: python haystack/.github/utils/update_haystack_dc_custom_nodes.py "${{ env.VERSION }}" deepset-cloud-custom-nodes/uv.lock
diff --git a/.github/workflows/release_notes.yml b/.github/workflows/release_notes.yml
index 06fac6b06e..b6bc54a504 100644
--- a/.github/workflows/release_notes.yml
+++ b/.github/workflows/release_notes.yml
@@ -51,6 +51,7 @@ jobs:
       - name: Verify release notes formatting
         if: steps.changed-files.outputs.any_changed == 'true' && !contains( github.event.pull_request.labels.*.name, 'ignore-for-release-notes')
         run: |
+          python -m pip install --upgrade pip
           pip install "reno<5" --uploaded-prior-to=P1D
           reno lint .  # it is not possible to pass a list of files to reno lint
 
diff --git a/.github/workflows/slow.yml b/.github/workflows/slow.yml
index 4ab1b0af9a..6660b9ffb0 100644
--- a/.github/workflows/slow.yml
+++ b/.github/workflows/slow.yml
@@ -139,6 +139,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
+          python -m pip install --upgrade pip
           pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Run Tika
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index d1acee488c..3a9b0845e4 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -78,7 +78,9 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Ruff - check format and linting
         run: hatch run fmt-check
@@ -97,7 +99,9 @@ jobs:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Install Hatch
-        run: pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
 
       - name: Check imports
         run: hatch run python .github/utils/check_imports.py
@@ -125,6 +129,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
+          python -m pip install --upgrade pip
           pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
@@ -177,6 +182,7 @@ jobs:
         id: hatch
         if: steps.files.outputs.any_changed == 'true'
         run: |
+          python -m pip install --upgrade pip
           pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
@@ -202,6 +208,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
+          python -m pip install --upgrade pip
           pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
@@ -228,6 +235,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
+          python -m pip install --upgrade pip
           pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 
@@ -260,6 +268,7 @@ jobs:
         id: hatch
         shell: bash
         run: |
+          python -m pip install --upgrade pip
           pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
           echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
 

From 542039bbe21f353d10e413ee86be85b13ed672ba Mon Sep 17 00:00:00 2001
From: Julian Risch <julian.risch@deepset.ai>
Date: Thu, 30 Apr 2026 09:04:10 +0200
Subject: [PATCH 5/7] chore: add release note for uv exclude-newer supply chain
 hardening

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../supply-chain-exclude-newer-7ef5f4df420f1029.yaml     | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml

diff --git a/releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml b/releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml
new file mode 100644
index 0000000000..9a18e6f6c9
--- /dev/null
+++ b/releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml
@@ -0,0 +1,9 @@
+---
+security:
+  - |
+    Haystack's uv configuration now excludes packages published within the last
+    24 hours when resolving dependencies, reducing exposure to supply chain
+    attacks via freshly compromised packages. If you need to install a dependency
+    that was published less than 24 hours ago, you can override this by running
+    ``uv sync --exclude-newer="0 days"`` or
+    ``uv pip install <package> --exclude-newer="0 days"``.

From 15e7a99cb66b07e623251f64b80411d860a5f7cf Mon Sep 17 00:00:00 2001
From: Julian Risch <julian.risch@deepset.ai>
Date: Thu, 30 Apr 2026 10:59:54 +0200
Subject: [PATCH 6/7] revert: undo accidental changes to project.yml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/project.yml | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml
index 8d8669e028..5420df4150 100644
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@@ -4,24 +4,8 @@ on:
   issues:
     types:
       - opened
-      - labeled
 
 jobs:
-  add-bug-label:
-    name: Add bug label on Bug type issues
-    runs-on: ubuntu-slim
-    if: >
-      github.event.issue.type.name == 'Bug' &&
-      (
-        github.event.action == 'opened' ||
-        contains(fromJSON('["P0", "P1", "P2", "P3"]'), github.event.label.name)
-      )
-    steps:
-      - name: Add bug label
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh issue edit ${{ github.event.issue.html_url }} --add-label "bug"
-
   add-to-project:
     name: Add new issues to project for triage
     runs-on: ubuntu-slim

From 7f332b63d85797b49f000e2645840f277a11e5a7 Mon Sep 17 00:00:00 2001
From: Julian Risch <julian.risch@deepset.ai>
Date: Thu, 30 Apr 2026 11:21:44 +0200
Subject: [PATCH 7/7] chore: remove release note for supply chain hardening

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../supply-chain-exclude-newer-7ef5f4df420f1029.yaml     | 9 ---------
 1 file changed, 9 deletions(-)
 delete mode 100644 releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml

diff --git a/releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml b/releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml
deleted file mode 100644
index 9a18e6f6c9..0000000000
--- a/releasenotes/notes/supply-chain-exclude-newer-7ef5f4df420f1029.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-security:
-  - |
-    Haystack's uv configuration now excludes packages published within the last
-    24 hours when resolving dependencies, reducing exposure to supply chain
-    attacks via freshly compromised packages. If you need to install a dependency
-    that was published less than 24 hours ago, you can override this by running
-    ``uv sync --exclude-newer="0 days"`` or
-    ``uv pip install <package> --exclude-newer="0 days"``.