scipp · SimonHeybrock · Mar 30, 2026
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -5,13 +5,15 @@
 #
 #    requirements upgrade
 #
+--index-url https://pypi.org/simple
+
 annotated-types==0.7.0
     # via pydantic
 certifi==2026.2.25
     # via requests
-charset-normalizer==3.4.4
+charset-normalizer==3.4.6
     # via requests
-confluent-kafka==2.13.0
+confluent-kafka==2.13.2
     # via -r base.in
 contourpy==1.3.3
     # via matplotlib
@@ -25,13 +27,13 @@ email-validator==2.3.0
     # via scippneutron
 ess-streaming-data-types==0.27.0
     # via -r base.in
-essreduce==26.2.2
+essreduce==26.3.1
     # via -r base.in
 flatbuffers==25.12.19
     # via ess-streaming-data-types
-fonttools==4.61.1
+fonttools==4.62.1
     # via matplotlib
-h5py==3.15.1
+h5py==3.16.0
     # via
     #   scippneutron
     #   scippnexus
@@ -41,9 +43,9 @@ idna==3.11
     #   requests
 jinja2==3.1.6
     # via -r base.in
-kiwisolver==1.4.9
+kiwisolver==1.5.0
     # via matplotlib
-lazy-loader==0.4
+lazy-loader==0.5
     # via
     #   plopp
     #   scippneutron
@@ -57,7 +59,7 @@ mpltoolbox==26.2.0
     # via scippneutron
 networkx==3.6.1
     # via cyclebane
-numpy==2.4.2
+numpy==2.4.3
     # via
     #   contourpy
     #   ess-streaming-data-types
@@ -73,9 +75,9 @@ packaging==26.0
     #   pooch
 pillow==12.1.1
     # via matplotlib
-platformdirs==4.9.2
+platformdirs==4.9.4
     # via pooch
-plopp==26.2.1
+plopp==26.3.1
     # via scippneutron
 pooch==1.9.0
     # via -r base.in
@@ -97,13 +99,13 @@ requests==2.32.5
     # via pooch
 sciline==25.11.1
     # via essreduce
-scipp==26.2.0
+scipp==26.3.1
     # via
     #   -r base.in
     #   essreduce
     #   scippneutron
     #   scippnexus
-scippneutron==26.2.0
+scippneutron==26.3.0
     # via
     #   -r base.in
     #   essreduce

diff --git a/requirements/basetest.txt b/requirements/basetest.txt
@@ -5,21 +5,23 @@
 #
 #    requirements upgrade
 #
+--index-url https://pypi.org/simple
+
 annotated-types==0.7.0
     # via pydantic
-ase==3.27.0
+ase==3.28.0
     # via ncrystal
 asttokens==3.0.1
     # via stack-data
 bleach==6.3.0
     # via panel
-bokeh==3.8.2
+bokeh==3.9.0
     # via
     #   holoviews
     #   panel
 certifi==2026.2.25
     # via requests
-charset-normalizer==3.4.4
+charset-normalizer==3.4.6
     # via requests
 click==8.3.1
     # via dask
@@ -37,7 +39,7 @@ cyclebane==24.10.0
     # via sciline
 cycler==0.12.1
     # via matplotlib
-dask==2026.1.2
+dask==2026.3.0
     # via
     #   essdiffraction
     #   esspolarization
@@ -53,7 +55,7 @@ essdiffraction==26.3.0
     # via -r basetest.in
 esspolarization==25.10.0
     # via essreflectometry
-essreduce==26.2.2
+essreduce==26.3.1
     # via
     #   essdiffraction
     #   esspolarization
@@ -62,13 +64,13 @@ essreduce==26.2.2
     #   essspectroscopy
 essreflectometry==26.2.0
     # via -r basetest.in
-esssans==26.2.1
+esssans==26.3.0
     # via -r basetest.in
 essspectroscopy==26.2.0
     # via -r basetest.in
 executing==2.2.1
     # via stack-data
-fonttools==4.61.1
+fonttools==4.62.1
     # via matplotlib
 fsspec==2026.2.0
     # via dask
@@ -81,7 +83,7 @@ graphviz==0.21
     #   essreflectometry
     #   esssans
     #   essspectroscopy
-h5py==3.15.1
+h5py==3.16.0
     # via
     #   scippneutron
     #   scippnexus
@@ -91,7 +93,7 @@ idna==3.11
     # via
     #   email-validator
     #   requests
-importlib-metadata==8.7.1
+importlib-metadata==9.0.0
     # via dask
 iniconfig==2.3.0
     # via pytest
@@ -111,9 +113,9 @@ jinja2==3.1.6
     # via bokeh
 jupyterlab-widgets==3.0.16
     # via ipywidgets
-kiwisolver==1.4.9
+kiwisolver==1.5.0
     # via matplotlib
-lazy-loader==0.4
+lazy-loader==0.5
     # via
     #   plopp
     #   scippneutron
@@ -143,20 +145,20 @@ mdurl==0.1.2
     # via markdown-it-py
 mpltoolbox==26.2.0
     # via scippneutron
-narwhals==2.17.0
+narwhals==2.18.0
     # via
     #   bokeh
     #   holoviews
     #   panel
-ncrystal[cif]==4.2.12
+ncrystal==4.2.12
     # via essdiffraction
 ncrystal-core==4.2.12
     # via ncrystal
 ncrystal-python==4.2.12
     # via ncrystal
 networkx==3.6.1
     # via cyclebane
-numpy==2.4.2
+numpy==2.4.3
     # via
     #   ase
     #   bokeh
@@ -188,13 +190,12 @@ packaging==26.0
     #   pytest
 pandas==3.0.1
     # via
-    #   bokeh
     #   essreflectometry
     #   esssans
     #   essspectroscopy
     #   holoviews
     #   panel
-panel==1.8.7
+panel==1.8.10
     # via
     #   -r basetest.in
     #   holoviews
@@ -214,9 +215,9 @@ pillow==12.1.1
     # via
     #   bokeh
     #   matplotlib
-platformdirs==4.9.2
+platformdirs==4.9.4
     # via pooch
-plopp==26.2.1
+plopp==26.3.1
     # via
     #   essdiffraction
     #   essreflectometry
@@ -284,7 +285,7 @@ sciline==25.11.1
     #   essreflectometry
     #   esssans
     #   essspectroscopy
-scipp==26.2.0
+scipp==26.3.1
     # via
     #   essdiffraction
     #   esspolarization
@@ -295,7 +296,7 @@ scipp==26.2.0
     #   scippneutron
     #   scippnexus
     #   tof
-scippneutron==26.2.0
+scippneutron==26.3.0
     # via
     #   -r basetest.in
     #   essdiffraction
@@ -325,15 +326,15 @@ spglib==2.6.0
     #   ncrystal
 stack-data==0.6.3
     # via ipython
-tof==26.1.0
+tof==26.3.0
     # via
     #   essdiffraction
     #   essspectroscopy
 toolz==1.1.0
     # via
     #   dask
     #   partd
-tornado==6.5.4
+tornado==6.5.5
     # via bokeh
 tqdm==4.67.3
     # via panel

diff --git a/requirements/ci.txt b/requirements/ci.txt
@@ -5,17 +5,19 @@
 #
 #    requirements upgrade
 #
-cachetools==7.0.1
+--index-url https://pypi.org/simple
+
+cachetools==7.0.5
     # via tox
 certifi==2026.2.25
     # via requests
-charset-normalizer==3.4.4
+charset-normalizer==3.4.6
     # via requests
 colorama==0.4.6
     # via tox
 distlib==0.4.0
     # via virtualenv
-filelock==3.25.0
+filelock==3.25.2
     # via
     #   python-discovery
     #   tox
@@ -31,7 +33,7 @@ packaging==26.0
     #   -r ci.in
     #   pyproject-api
     #   tox
-platformdirs==4.9.2
+platformdirs==4.9.4
     # via
     #   python-discovery
     #   tox
@@ -40,15 +42,17 @@ pluggy==1.6.0
     # via tox
 pyproject-api==1.10.0
     # via tox
-python-discovery==1.1.0
+python-discovery==1.2.0
     # via virtualenv
 requests==2.32.5
     # via -r ci.in
-smmap==5.0.2
+smmap==5.0.3
     # via gitdb
-tox==4.47.0
+tomli-w==1.2.0
+    # via tox
+tox==4.50.3
     # via -r ci.in
 urllib3==2.6.3
     # via requests
-virtualenv==21.1.0
+virtualenv==21.2.0
     # via tox
diff --git a/requirements/compile_with_cooldown.py b/requirements/compile_with_cooldown.py
@@ -0,0 +1,36 @@
+"""Run pip-compile-multi with a supply-chain cooldown.
+
+Sets UV_EXCLUDE_NEWER to a date in the past before invoking
+pip-compile-multi, so that recently uploaded package versions
+are excluded from dependency resolution. This reduces the risk
+of supply-chain attacks via newly published malicious packages.
+
+The cooldown can be overridden by setting UV_EXCLUDE_NEWER in
+the environment before running this script.
+"""
+
+import datetime
+import os
+import subprocess
+import sys
+
+COOLDOWN_DAYS = 7
+
+
+def main() -> None:
+    if "UV_EXCLUDE_NEWER" not in os.environ:
+        cutoff = datetime.datetime.now(datetime.timezone.utc) - datetime.timedelta(
+            days=COOLDOWN_DAYS
+        )
+        os.environ["UV_EXCLUDE_NEWER"] = cutoff.strftime("%Y-%m-%dT%H:%M:%SZ")
+    sys.stderr.write(f"UV_EXCLUDE_NEWER={os.environ['UV_EXCLUDE_NEWER']}\n")
+    sys.exit(
+        subprocess.run(  # noqa: S603
+            [sys.executable, "-m", "pip_compile_multi.cli", "--uv", *sys.argv[1:]],
+            check=False,
+        ).returncode
+    )
+
+
+if __name__ == "__main__":
+    main()