astral-sh/uv
uv-audit
crates/uv-audit/ implements the uv audit command — checking installed (or locked)
packages against a vulnerability database.
Purpose
Surface known vulnerabilities (CVEs) in a project's dependency tree. The command can audit
either an installed environment (uv audit) or a lockfile (uv audit --locked). It is a
relatively recent addition; in the spirit of cargo audit and pip-audit.
Key abstractions
Vulnerability— a single known issue: identifier, affected versions, severity, fix versions, link.Database— the vulnerability database loader (PyPA Advisory Database is the default source).- Audit drivers that walk the resolved environment / lockfile and produce a report.
See also
uv-installerfor the source of "what's installed."uv-resolverfor the lockfile parser used in--lockedmode.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.