REQUEST: Support `uv.lock` lockfile used by uv

[Fra9ment]

The uv( https://docs.astral.sh/uv/ ) is a single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine, virtualenv, and more.

And packages are hosted by PyPI.

This scanner may be able to support uv.lock files with minor modifications.

Note

The uv doesn't have a v1 release yet.

So, the lockfile format may change...

For other uv users

You can indirectly scan uv.lock files by exporting requirements.txt

uv export --frozen --output-file requirements.txt --quiet
# and exec osv-scanner

[lengau]

This would be useful for me, as it would scan the entire lockfile rather than just what gets exported. For example, the lockfiles can contain mutually exclusive dependencies that cannot be exported to requirements files.

[NellyWhads]

Is there a rough timeline on the release of this feature? Do we need to await a new osv-scanner release to use it?

[cuixq]

@NellyWhads thank you for your interest in this feature! We just released OSV-Scanner v2.0.0-beta1 which supports extracting uv.lcok. Feel free to try it out and leave your feedback!

[NellyWhads]

Sweet @cuixq ! Once verified, what does the release schedule look like for this feature in the regular releases?

[cuixq]

This feature is already release in the recent v2.0.0-beta1 release.
If you mean the general OSV-Scanner release, we usually do this every three weeks. We are aiming for end of February for the official v2 release.

[NellyWhads]

Perfect, thanks! I can test it of course, but we have some limitations on beta and pre-releases for use in production, hence my asking. Awesome work guys, and thank you again!

…

On Mon, Feb 3, 2025, 9:24 PM Xueqin Cui ***@***.***> wrote: This feature is already release in the recent v2.0.0-beta1 <https://github.com/google/osv-scanner/releases/tag/v2.0.0-beta1> release. If you mean the general OSV-Scanner release, we usually do this every three weeks. We are aiming for end of February for the official v2 release. — Reply to this email directly, view it on GitHub <#1406 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB5IPZI6PRVZ4J3QO5SFYJL2OAQGLAVCNFSM6AAAAABSAAEUKOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMZSGYYTCMJTGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>