Merged
Conversation
d3ee866 to
b069412
Compare
woodruffw
commented
Feb 20, 2026
Merged
konstin
reviewed
Feb 22, 2026
96aaeb3 to
36af6d9
Compare
woodruffw
added a commit
that referenced
this pull request
Feb 24, 2026
## Summary Atop #18119. This should be merged into #18119's branch. This adds a `uv-audit` crate, which provides some common types ~~and a trait (`VulnerabilityService`)~~ for interacting with vulnerability "services" (i.e. online APIs that provide vulnerability DB access). Our MVP service is OSV; supporting PyPI's PYSEC responses through the same trait would be straightforward. (This should also not increase our dependency footprint; I've only used crates that were already present in our top-level dependencies.) ## Test Plan I've added initial unit tests; I'm going to add more that use a mocked server to ensure we have good coverage of the pagination branches. --------- Signed-off-by: William Woodruff <william@astral.sh>
woodruffw
added a commit
that referenced
this pull request
Feb 24, 2026
Atop #18119. This should be merged into #18119's branch. This adds a `uv-audit` crate, which provides some common types ~~and a trait (`VulnerabilityService`)~~ for interacting with vulnerability "services" (i.e. online APIs that provide vulnerability DB access). Our MVP service is OSV; supporting PyPI's PYSEC responses through the same trait would be straightforward. (This should also not increase our dependency footprint; I've only used crates that were already present in our top-level dependencies.) I've added initial unit tests; I'm going to add more that use a mocked server to ensure we have good coverage of the pagination branches. --------- Signed-off-by: William Woodruff <william@astral.sh>
f65e112 to
6201d48
Compare
woodruffw
added a commit
that referenced
this pull request
Feb 24, 2026
woodruffw
added a commit
that referenced
this pull request
Feb 24, 2026
Atop #18119. This should be merged into #18119's branch. This adds a `uv-audit` crate, which provides some common types ~~and a trait (`VulnerabilityService`)~~ for interacting with vulnerability "services" (i.e. online APIs that provide vulnerability DB access). Our MVP service is OSV; supporting PyPI's PYSEC responses through the same trait would be straightforward. (This should also not increase our dependency footprint; I've only used crates that were already present in our top-level dependencies.) I've added initial unit tests; I'm going to add more that use a mocked server to ensure we have good coverage of the pagination branches. --------- Signed-off-by: William Woodruff <william@astral.sh>
c13cd81 to
f61c9e6
Compare
woodruffw
added a commit
that referenced
this pull request
Mar 2, 2026
Atop #18119. This should be merged into #18119's branch. This adds a `uv-audit` crate, which provides some common types ~~and a trait (`VulnerabilityService`)~~ for interacting with vulnerability "services" (i.e. online APIs that provide vulnerability DB access). Our MVP service is OSV; supporting PyPI's PYSEC responses through the same trait would be straightforward. (This should also not increase our dependency footprint; I've only used crates that were already present in our top-level dependencies.) I've added initial unit tests; I'm going to add more that use a mocked server to ensure we have good coverage of the pagination branches. --------- Signed-off-by: William Woodruff <william@astral.sh>
woodruffw
added a commit
that referenced
this pull request
Mar 2, 2026
Signed-off-by: William Woodruff <william@astral.sh> Bump snapshots Signed-off-by: William Woodruff <william@astral.sh> Make universal the default for `uv audit` (#18185) Atop #18119. Will be merged there. None yet. Signed-off-by: William Woodruff <william@astral.sh> Make `uv audit` hidden Signed-off-by: William Woodruff <william@astral.sh> Bump snapshots Signed-off-by: William Woodruff <william@astral.sh>
woodruffw
added a commit
that referenced
this pull request
Mar 2, 2026
Atop #18119. This should be merged into #18119's branch. This adds a `uv-audit` crate, which provides some common types ~~and a trait (`VulnerabilityService`)~~ for interacting with vulnerability "services" (i.e. online APIs that provide vulnerability DB access). Our MVP service is OSV; supporting PyPI's PYSEC responses through the same trait would be straightforward. (This should also not increase our dependency footprint; I've only used crates that were already present in our top-level dependencies.) I've added initial unit tests; I'm going to add more that use a mocked server to ensure we have good coverage of the pagination branches. --------- Signed-off-by: William Woodruff <william@astral.sh> Fixup API usage Signed-off-by: William Woodruff <william@astral.sh>
Signed-off-by: William Woodruff <william@astral.sh> Bump snapshots Signed-off-by: William Woodruff <william@astral.sh> Make universal the default for `uv audit` (#18185) Atop #18119. Will be merged there. None yet. Signed-off-by: William Woodruff <william@astral.sh> Make `uv audit` hidden Signed-off-by: William Woodruff <william@astral.sh> Bump snapshots Signed-off-by: William Woodruff <william@astral.sh> Bump snapshot Signed-off-by: William Woodruff <william@astral.sh>
Atop #18119. This should be merged into #18119's branch. This adds a `uv-audit` crate, which provides some common types ~~and a trait (`VulnerabilityService`)~~ for interacting with vulnerability "services" (i.e. online APIs that provide vulnerability DB access). Our MVP service is OSV; supporting PyPI's PYSEC responses through the same trait would be straightforward. (This should also not increase our dependency footprint; I've only used crates that were already present in our top-level dependencies.) I've added initial unit tests; I'm going to add more that use a mocked server to ensure we have good coverage of the pagination branches. --------- Signed-off-by: William Woodruff <william@astral.sh> Fixup API usage Signed-off-by: William Woodruff <william@astral.sh>
konstin
approved these changes
Mar 3, 2026
woodruffw
added a commit
that referenced
this pull request
Mar 3, 2026
Atop #18119. This should be merged into #18119's branch. This adds a `uv-audit` crate, which provides some common types ~~and a trait (`VulnerabilityService`)~~ for interacting with vulnerability "services" (i.e. online APIs that provide vulnerability DB access). Our MVP service is OSV; supporting PyPI's PYSEC responses through the same trait would be straightforward. (This should also not increase our dependency footprint; I've only used crates that were already present in our top-level dependencies.) I've added initial unit tests; I'm going to add more that use a mocked server to ensure we have good coverage of the pagination branches. --------- Signed-off-by: William Woodruff <william@astral.sh>
woodruffw
added a commit
that referenced
this pull request
Mar 10, 2026
## Summary This adds some initial output/report formatting for `uv audit`. This is an initial blush, any feedback to align this with rendering/formatting idioms elsewhere would be greatly appreciated! Atop #18119. ## Test Plan None yet. --------- Signed-off-by: William Woodruff <william@astral.sh>
woodruffw
added a commit
that referenced
this pull request
Mar 11, 2026
## Summary This switches us to OSV's batch query API for vulnerability ID lookups, which can then be used to concurrently fetch the actual full finding responses. In my local testing, this yields significant speedups: from 23s on main (before this PR) with a small project (~70 deps) to 950ms with this PR. ~~WIP, I want to think through this approach a little more.~~ See #18119 ## Test Plan Added new unit tests. --------- Signed-off-by: William Woodruff <william@astral.sh>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This provides the scaffolding (CLI and initial
uv-auditcrate) for auv auditsubcommand.Closes #9189.
Tracking:
uv audit#18185uv-auditcrate): Add auv-auditcrate #18124uv audit#18394uv audit#18407uv audit#18193uv auditoutput #18392Things that also need to be done with the MVP:
Test Plan
Unit and integration tests commensurate with the new functionality.