Output/report formatting for `uv audit` by woodruffw · Pull Request #18193 · astral-sh/uv

woodruffw · 2026-02-25T17:46:38Z

Summary

This adds some initial output/report formatting for uv audit.

This is an initial blush, any feedback to align this with rendering/formatting idioms elsewhere would be greatly appreciated!

Atop #18119.

Test Plan

None yet.

woodruffw · 2026-02-26T21:47:20Z

Example current output:

warning: `uv audit` is experimental and may change without warning. Pass `--preview-features audit` to disable this warning.
Resolved 71 packages in 29ms
Found 7 known vulnerabilities and no adverse project statuses in 71 packages

Vulnerabilities:

cryptography 46.0.3 has 1 known vulnerability:

- GHSA-r6ph-v2qm-q3c2: cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

  Fixed in: 46.0.5


filelock 3.20.0 has 2 known vulnerabilities:

- GHSA-qmgc-5h2g-mvrw: filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock

  Fixed in: 3.20.3

- GHSA-w853-jp5j-5j7f: filelock has a TOCTOU race condition which allows symlink attacks during lock file creation

  Fixed in: 3.20.1


jaraco-context 6.0.1 has 1 known vulnerability:

- GHSA-58pv-8j8x-9vj2: jaraco.context Has a Path Traversal Vulnerability

  Fixed in: 6.1.0


urllib3 2.5.0 has 3 known vulnerabilities:

- GHSA-2xpw-w6gg-jr37: urllib3 streaming API improperly handles highly compressed data

  Fixed in: 2.6.0

- GHSA-38jv-5279-wg99: Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)

  Fixed in: 2.6.3

- GHSA-gm62-xv2j-4w53: urllib3 allows an unbounded number of links in the decompression chain

  Fixed in: 2.6.0

Screencap with color:

## Summary This provides the scaffolding (CLI and initial `uv-audit` crate) for a `uv audit` subcommand. Closes #9189. Tracking: - [x] Core CLI scaffolding (this PR) - [x] #18185 - [x] Audit core (probably a new `uv-audit` crate): #18124 - [ ] Bulk dependency audits with OSV - [ ] Result presentation - [ ] #18193 Things that also need to be done with the MVP: - [ ] We should not audit workspace members by default (by definition, they don't exist on indices and therefore don't have meaningful results from vulnerability services). - [ ] I need to ensure groups/etc. are being filtered by correctly, right now we audit every single package in the lockfile unconditionally. ## Test Plan Unit and integration tests commensurate with the new functionality. --------- Signed-off-by: William Woodruff <william@astral.sh>

konstin

Code looks good, left some style comments.

crates/uv/src/commands/project/audit.rs

konstin

Code looks good, is there an example uv.lock to see it in color?

crates/uv/src/commands/project/audit.rs

woodruffw · 2026-03-09T13:17:41Z

Code looks good, is there an example uv.lock to see it in color?

I was testing it locally against psf/cachecontrol (since I added a lockfile to that repo a while back).

crates/uv/src/commands/reporters.rs

crates/uv/src/commands/project/audit.rs

konstin · 2026-03-09T13:48:35Z

crates/uv/src/commands/project/audit.rs

+                )?;
+
+                for vuln in vulns {
+                    writeln!(


Can we show the link too? The title often isn't enough to understand whether you are affected.

Yeah, I'll do that with a follow-up!

## Summary Atop #18193. This tweaks the baseline filtering we do with `uv audit` -- previously we only skipped packages without versions, but we should _also_ skip workspace members, since workspace members are local by definition. ## Test Plan Will be tested with integration tests. Signed-off-by: William Woodruff <william@astral.sh>

Atop #18193. This tweaks the baseline filtering we do with `uv audit` -- previously we only skipped packages without versions, but we should _also_ skip workspace members, since workspace members are local by definition. Will be tested with integration tests. Signed-off-by: William Woodruff <william@astral.sh>

Signed-off-by: William Woodruff <william@astral.sh> Skeleton AuditDisplay Signed-off-by: William Woodruff <william@astral.sh> Initial reporting for `uv audit` Signed-off-by: William Woodruff <william@astral.sh> More spacing Signed-off-by: William Woodruff <william@astral.sh> I curse the English language's irregular plural forms Signed-off-by: William Woodruff <william@astral.sh> Clippy Signed-off-by: William Woodruff <william@astral.sh> Bump snapshots Signed-off-by: William Woodruff <william@astral.sh> Feedback Signed-off-by: William Woodruff <william@astral.sh> Feedback Signed-off-by: William Woodruff <william@astral.sh> Add a TODO Signed-off-by: William Woodruff <william@astral.sh>

Atop #18193. This tweaks the baseline filtering we do with `uv audit` -- previously we only skipped packages without versions, but we should _also_ skip workspace members, since workspace members are local by definition. Will be tested with integration tests. Signed-off-by: William Woodruff <william@astral.sh>

## Summary This adds links to `uv audit`'s outputs. This required adding links to the backing (common) Vulnerability type and pulling them from the OSV service. OSV will always produce a link for a Vulnerability (since the ID itself can be turned into a link), but `Vulnerability::link` itself is optional since other services may not necessarily guarantee this. Follows #18193. ## Test Plan None yet. --------- Signed-off-by: William Woodruff <william@astral.sh>

woodruffw changed the base branch from main to ww/uv-audit February 25, 2026 17:46

woodruffw changed the title ~~Ww/uv audit results~~ Output/report formatting for uv audit Feb 25, 2026

woodruffw mentioned this pull request Feb 25, 2026

Scaffolding for uv audit #18119

Merged

10 tasks

woodruffw marked this pull request as ready for review February 26, 2026 21:48

woodruffw requested a review from konstin February 26, 2026 21:48

woodruffw force-pushed the ww/uv-audit branch 3 times, most recently from df8f860 to 233fd7f Compare March 2, 2026 18:57

Base automatically changed from ww/uv-audit to main March 3, 2026 16:11

woodruffw force-pushed the ww/uv-audit-results branch 3 times, most recently from f64784b to bba6e5a Compare March 3, 2026 16:16

konstin added the preview Experimental behavior label Mar 5, 2026

konstin reviewed Mar 5, 2026

View reviewed changes

crates/uv/src/commands/project/audit.rs Outdated Show resolved Hide resolved

crates/uv/src/commands/project/audit.rs Outdated Show resolved Hide resolved

crates/uv/src/commands/project/audit.rs Show resolved Hide resolved

woodruffw force-pushed the ww/uv-audit-results branch 3 times, most recently from b47913d to 237062b Compare March 5, 2026 18:00

woodruffw mentioned this pull request Mar 5, 2026

Filter down to auditable packages #18322

Merged

woodruffw requested a review from konstin March 8, 2026 02:32

konstin approved these changes Mar 9, 2026

View reviewed changes

konstin reviewed Mar 9, 2026

View reviewed changes

crates/uv/src/commands/reporters.rs Outdated Show resolved Hide resolved

konstin reviewed Mar 9, 2026

View reviewed changes

crates/uv/src/commands/project/audit.rs Outdated Show resolved Hide resolved

konstin reviewed Mar 9, 2026

View reviewed changes

woodruffw had a problem deploying to uv-test-publish March 9, 2026 14:56 — with GitHub Actions Error

woodruffw force-pushed the ww/uv-audit-results branch from dc80a24 to 6246b49 Compare March 9, 2026 14:56

woodruffw force-pushed the ww/uv-audit-results branch from 6246b49 to c2553d1 Compare March 9, 2026 15:00

woodruffw added 2 commits March 9, 2026 23:24

woodruffw force-pushed the ww/uv-audit-results branch from c2553d1 to 0333537 Compare March 9, 2026 15:24

woodruffw merged commit f54ce67 into main Mar 10, 2026
213 of 216 checks passed

woodruffw deleted the ww/uv-audit-results branch March 10, 2026 04:07

woodruffw mentioned this pull request Mar 10, 2026

Add links to uv audit output #18392

Merged

BrewTestBot mentioned this pull request Mar 13, 2026

uv 0.10.10 Homebrew/homebrew-core#272203

Merged

woodruffw mentioned this pull request Mar 16, 2026

Roadmap: uv audit #18506

Open

21 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Output/report formatting for `uv audit`#18193

Output/report formatting for `uv audit`#18193
woodruffw merged 2 commits intomainfrom
ww/uv-audit-results

woodruffw commented Feb 25, 2026 •

edited

Loading

Uh oh!

woodruffw commented Feb 26, 2026

Uh oh!

konstin left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

konstin left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

woodruffw commented Mar 9, 2026

Uh oh!

Uh oh!

Uh oh!

konstin Mar 9, 2026

Uh oh!

woodruffw Mar 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

woodruffw commented Feb 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test Plan

Uh oh!

woodruffw commented Feb 26, 2026

Uh oh!

konstin left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

konstin left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

woodruffw commented Mar 9, 2026

Uh oh!

Uh oh!

Uh oh!

konstin Mar 9, 2026

Choose a reason for hiding this comment

Uh oh!

woodruffw Mar 9, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

woodruffw commented Feb 25, 2026 •

edited

Loading