Skip to content

Switch to batched OSV queries for uv audit#18394

Merged
woodruffw merged 4 commits intomainfrom
ww/uv-audit-osv-bulk
Mar 11, 2026
Merged

Switch to batched OSV queries for uv audit#18394
woodruffw merged 4 commits intomainfrom
ww/uv-audit-osv-bulk

Conversation

@woodruffw
Copy link
Copy Markdown
Member

@woodruffw woodruffw commented Mar 10, 2026
edited
Loading

Summary

This switches us to OSV's batch query API for vulnerability ID lookups, which can then be used to concurrently fetch the actual full finding responses.

In my local testing, this yields significant speedups: from 23s on main (before this PR) with a small project (~70 deps) to 950ms with this PR.

WIP, I want to think through this approach a little more.

See #18119

Test Plan

Added new unit tests.

@woodruffw
Switch to batched OSV queries for uv audit
d7dfc5c 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw self-assigned this Mar 10, 2026
@woodruffw woodruffw added performance Potential performance improvement preview Experimental behavior labels Mar 10, 2026
@woodruffw woodruffw mentioned this pull request Mar 10, 2026
Merged
10 tasks
woodruffw
woodruffw commented Mar 10, 2026
View reviewed changes
crates/uv-audit/src/service/osv.rs Outdated
let vuln = self.fetch_vuln(&id).await?;
Ok::<(String, Vulnerability), Error>((id, vuln))
})
.buffer_unordered(usize::MAX);
Copy link
Copy Markdown
Member Author

@woodruffw woodruffw Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flagging: I wasn't sure if it makes sense to plumb Concurrency::downloads as a limit here.

Copy link
Copy Markdown
Member

@konstin konstin Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that limit should apply in all locations where we do network requests.

Copy link
Copy Markdown
Member Author

@woodruffw woodruffw Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done! I need to separately plumb the concurrency from the CLI, I'll do that in a follow-up.

@woodruffw woodruffw requested a review from konstin March 10, 2026 16:23
@woodruffw woodruffw marked this pull request as ready for review March 10, 2026 16:23
konstin
konstin approved these changes Mar 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@konstin konstin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need the cocnurrency limit, otherwise it's good to go!

crates/uv-audit/src/service/osv.rs Outdated
let vuln = self.fetch_vuln(&id).await?;
Ok::<(String, Vulnerability), Error>((id, vuln))
})
.buffer_unordered(usize::MAX);
Copy link
Copy Markdown
Member

@konstin konstin Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that limit should apply in all locations where we do network requests.

j178
j178 reviewed Mar 11, 2026
View reviewed changes
crates/uv-audit/src/service/osv.rs Outdated
//!
//! [OSV]: https://osv.dev/

use std::collections::{HashMap, HashSet};
Copy link
Copy Markdown
Contributor

@j178 j178 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we generally prefer using rustc_hash::{FxHashMap, FxHashSet} in uv.

Copy link
Copy Markdown
Member Author

@woodruffw woodruffw Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I'll replace. It probably makes sense to slowly replace any pre-existing callsites for these and eventually ban their use via clippy?

@woodruffw
Use rustc_hash types
7da34ca 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw
Simplify collection
82513e1 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw
Plumb concurrency into OSV client
7bf69ab 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw merged commit 761c746 into main Mar 11, 2026
110 checks passed
@woodruffw woodruffw deleted the ww/uv-audit-osv-bulk branch March 11, 2026 11:25
@woodruffw woodruffw mentioned this pull request Mar 11, 2026
Merged
woodruffw added a commit that referenced this pull request Mar 11, 2026
@woodruffw
Plumb top-level concurrency into uv audit (#18407)
88147b6 
## Summary

Follows #18394. This plumbs the actual concurrency settings (rather than
their default) and removes the default impl for `Osv`.

## Test Plan

NFC.

Signed-off-by: William Woodruff <william@astral.sh>
@BrewTestBot BrewTestBot mentioned this pull request Mar 13, 2026
Merged
@woodruffw woodruffw mentioned this pull request Mar 16, 2026
Open
21 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@konstin konstin konstin approved these changes

+1 more reviewer

@j178 j178 j178 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@woodruffw woodruffw

Labels

performance Potential performance improvement preview Experimental behavior

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@woodruffw @konstin @j178