diff --git a/README.md b/README.md
index 9877cf7..54d783d 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,12 @@ At Wander, we use a semantic layer to:
 - Our data warehouse becomes a technical detail so we can focus on building great 
   products.
 
+## Dependency management
+
+This project uses [uv](https://github.com/astral-sh/uv) with `pyproject.toml` for dependency management. A `uv.lock` lockfile is committed to pin exact resolved versions for reproducible environments.
+
+To guard against [Python supply chain attacks](https://pydevtools.com/handbook/how-to/how-to-protect-against-python-supply-chain-attacks-with-uv/), the `[tool.uv]` section in `pyproject.toml` sets a 7-day dependency cooldown via `exclude-newer`. This prevents uv from resolving package versions published within the last week — a window during which most malicious PyPI uploads are detected and yanked before they can reach any environment.
+
 ## License
 MIT
 
diff --git a/pyproject.toml b/pyproject.toml
index 130ffc2..977f60f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -110,6 +110,9 @@ init_typed = false
 warn_required_dynamic_aliases = false
 warn_untyped_fields = true
 
+[tool.uv]
+exclude-newer = "7 days"
+
 [build-system]
 requires = ["pdm-backend", "pip"]
 build-backend = "pdm.backend"