- uv audit is a new command that scans your dependencies for known vulnerabilities and "adverse" project statuses (such as being deprecated)
- uv add, uv sync, etc. can now perform a lightweight OSV-based lookup for previously-resolved malware on every sync operation, try it by setting UV_MALWARE_CHECK=1
Both are in preview, considered unstable, and there may be breaking changes…
- uv audit is a new command that scans your dependencies for known vulnerabilities and "adverse" project statuses (such as being deprecated)
- uv add, uv sync, etc. can now perform a lightweight OSV-based lookup for previously-resolved malware on every sync operation, try it by setting UV_MALWARE_CHECK=1
Both are in preview, considered unstable, and there may be breaking changes…
• • •
Meanwhile, don't forget uv's exclude-newer cooldown: https://docs.astral.sh/uv/reference/settings/#exclude-newer
Or use it with uv pip compile to generate pinned requirements with cooldown: