Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

REQUEST: Support uv.lock lockfile used by uv #1406

Open
Fra9ment opened this issue Nov 18, 2024 · 1 comment · May be fixed by google/osv-scalibr#314
Open

REQUEST: Support uv.lock lockfile used by uv #1406

Fra9ment opened this issue Nov 18, 2024 · 1 comment · May be fixed by google/osv-scalibr#314
Labels
enhancement New feature or request

Comments

@Fra9ment
Copy link

Fra9ment commented Nov 18, 2024

The uv( https://docs.astral.sh/uv/ ) is a single tool to replace pip, pip-tools, pipx, poetry, pyenv, twine, virtualenv, and more.

And packages are hosted by PyPI.

This scanner may be able to support uv.lock files with minor modifications.

Note

The uv doesn't have a v1 release yet.

So, the lockfile format may change...

For other uv users

You can indirectly scan uv.lock files by exporting requirements.txt

uv export --frozen --output-file requirements.txt --quiet
# and exec osv-scanner
@cuixq cuixq added the enhancement New feature or request label Nov 18, 2024
@G-Rath G-Rath linked a pull request Dec 1, 2024 that will close this issue
@lengau
Copy link

lengau commented Dec 9, 2024

This would be useful for me, as it would scan the entire lockfile rather than just what gets exported. For example, the lockfiles can contain mutually exclusive dependencies that cannot be exported to requirements files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants