yossarian

I wrote a new post for the Astral blog about how we’re building more vulnerability and malware defenses directly into uv:

https://astral.sh/blog/uv-audit

Vulnerability and malware checks in uv

Find vulnerabilities in your Python dependencies with uv audit and prevent installation of known malware with uv's experimental malware detection.

Jun 8 at 3:32pmWeb
Show threadDirkjan @ RustWeek5d ago
@yossarian do you have a plan to integrate dependency vulnerability auditing in commands that construct/update or even consume a lockfile?
Show threadyossarian5d ago
@djc yes! We’re thinking about doing this with `uv add` and similar, the idea being that it’ll hopefully be less disruptive than what npm and other tools do on every install
Show threadAndrew Nesbitt5d ago
@yossarian @djc integration with uvx would be great too
Show threadyossarian5d ago
@andrewnez @djc I’ll need to confirm but the malware check should work on uxv, at least! If not, that’s probably a bug
Show threadThomas Strömberg5d ago

@yossarian Looks great! If you ever want to collab on embedding malware detection, let me know; I've been hard at work with https://codeberg.org/atomdrift/litmus (also written in Rust!). We similarly train on data labeled by OSV.

While we've only started tuning the Python models, but it's already pretty decent: https://lab.atomdrift.org/python/

litmus

Open-source malware detection for the AI age

Codeberg.org
Show threadThomas Strömberg5d ago
@yossarian From the only new bad Python sample I saw today: