mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-08-03 02:22:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
uv/crates
History
Zanie Blue f84faf726a Make uv’s first-index strategy more secure by default by failing early on authentication failure (#12805) 
uv’s default index strategy was designed with dependency confusion
attacks in mind. [According to the
docs](https://docs.astral.sh/uv/configuration/indexes/#searching-across-multiple-indexes),
“if a package exists on an internal index, it should always be installed
from the internal index, and never from PyPI”. Unfortunately, this is
not true in the case where authentication fails on that internal index.
In that case, uv will simply try the next index (even on the
`first-index` strategy). This means that uv is not secure by default in
this common scenario.

This PR causes uv to stop searching for a package if it encounters an
authentication failure at an index. It is possible to opt out of this
behavior for an index with a new `pyproject.toml` option
`ignore-error-codes`. For example:

```
[[tool.uv.index]]
name = "my-index"
url = "<index-url>"
ignore-error-codes = [401, 403]
```

This will also enable users to handle idiosyncratic registries in a more
fine-grained way. For example, PyTorch registries return a 403 when a
package is not found. In this PR, we special-case PyTorch registries to
ignore 403s, but users can use `ignore-error-codes` to handle similar
behaviors if they encounter them on internal registries.

Depends on #12651

Closes #9429
Closes #12362
2025-04-29 16:37:00 -05:00
..
uv Make uv’s first-index strategy more secure by default by failing early on authentication failure (#12805) 2025-04-29 16:37:00 -05:00
uv-auth Make uv’s first-index strategy more secure by default by failing early on authentication failure (#12805) 2025-04-29 16:37:00 -05:00
uv-bench Remove flyte-short-incompatible benchmark for too many false positives (#13181) 2025-04-28 18:01:34 +02:00
uv-build Bump version to v0.6.17 (#13110) 2025-04-25 12:57:07 -05:00
uv-build-backend Build backend: Add reference docs and schema (#12803) 2025-04-21 12:27:49 +02:00
uv-build-frontend Bump MSRV to 1.84 (#12670) 2025-04-04 11:49:26 -04:00
uv-cache Optional managed Python archive download cache (#12175) 2025-04-28 12:09:09 +02:00
uv-cache-info Avoid allocations for default cache keys (#12063) 2025-03-17 19:59:32 -04:00
uv-cache-key Use hash instead of full wheel name in wheels bucket (#11738) 2025-02-26 22:41:57 +00:00
uv-cli Fix display name for uvx --version (#13109) 2025-04-29 16:37:00 -05:00
uv-client Make uv’s first-index strategy more secure by default by failing early on authentication failure (#12805) 2025-04-29 16:37:00 -05:00
uv-configuration Add poetry-core as a build backend option (#12781) 2025-04-28 19:11:52 +00:00
uv-console Bump MSRV to 1.84 (#12670) 2025-04-04 11:49:26 -04:00
uv-dev display aliases for long and short args in the cli reference (#12824) 2025-04-10 16:36:22 -05:00
uv-dirs Add support for global uv python pin (#12115) 2025-03-13 13:48:37 +01:00
uv-dispatch Move lowered requirement source type out of uv-pypi-types (#12356) 2025-03-20 21:16:12 -04:00
uv-distribution Implement RFC 7231 compliant relative URI and fragment handling in redirects (#13050) 2025-04-28 09:07:06 +02:00
uv-distribution-filename Bump MSRV to 1.84 (#12670) 2025-04-04 11:49:26 -04:00
uv-distribution-types Make uv’s first-index strategy more secure by default by failing early on authentication failure (#12805) 2025-04-29 16:37:00 -05:00
uv-extract only warn if CRC appears to be missing (#12722) 2025-04-07 12:49:05 -05:00
uv-fs Bump MSRV to 1.84 (#12670) 2025-04-04 11:49:26 -04:00
uv-git Implement RFC 7231 compliant relative URI and fragment handling in redirects (#13050) 2025-04-28 09:07:06 +02:00
uv-git-types Avoid querying GitHub on repeated install invocations (#12767) 2025-04-08 22:00:40 -04:00
uv-globfilter Build backend: Add reference docs and schema (#12803) 2025-04-21 12:27:49 +02:00
uv-install-wheel Block scripts from overwriting python (#13051) 2025-04-25 07:10:10 +00:00
uv-installer Add subdirectory to Direct URL for local directories (#12971) 2025-04-18 11:57:58 -04:00
uv-macros Build backend: Add reference docs and schema (#12803) 2025-04-21 12:27:49 +02:00
uv-metadata only warn if CRC appears to be missing (#12722) 2025-04-07 12:49:05 -05:00
uv-normalize Refactor ExtraSpecification to support default-extras (#12964) 2025-04-28 13:30:14 -04:00
uv-once-map Bump MSRV to 1.84 (#12670) 2025-04-04 11:49:26 -04:00
uv-options-metadata Upgrade minimum Rust version to 1.83 (#9815) 2024-12-11 10:06:19 -06:00
uv-pep440 Address #12836 review comment (#12873) 2025-04-14 08:10:34 +00:00
uv-pep508 Fix panic with invalid last char in PEP 508 name (#13105) 2025-04-25 14:56:46 +02:00
uv-performance-memory-allocator Update Rust crate mimalloc to v0.1.46 (#12863) 2025-04-14 10:10:12 +02:00
uv-platform-tags Fix GraalPy abi tag parsing and discovery (#12154) 2025-03-13 23:55:07 +00:00
uv-publish Implement RFC 7231 compliant relative URI and fragment handling in redirects (#13050) 2025-04-28 09:07:06 +02:00
uv-pypi-types Add uv export support for PEP 751 (#12955) 2025-04-21 21:21:17 +00:00
uv-python Omit Python 3.7 downloads from managed versions (#13022) 2025-04-29 16:37:00 -05:00
uv-requirements Reject non-PEP 751 TOML files in install commands (#13120) 2025-04-29 16:37:00 -05:00
uv-requirements-txt Move lowered requirement source type out of uv-pypi-types (#12356) 2025-03-20 21:16:12 -04:00
uv-resolver Make uv’s first-index strategy more secure by default by failing early on authentication failure (#12805) 2025-04-29 16:37:00 -05:00
uv-scripts Avoid writing empty requires-python to script blocks (#12517) 2025-03-28 10:26:51 -04:00
uv-settings Add PEP 751 support to uv pip compile (#13019) 2025-04-21 22:48:54 +00:00
uv-shell Add support for Windows legacy scripts via uv tool run (#12079) 2025-03-11 09:02:17 -05:00
uv-small-str Edition 2024 prep: Escape r#gen and remove redundant ref (#11922) 2025-03-03 11:13:56 +00:00
uv-state Add uv-dirs to consolidate directory lookup methods (#8453) 2024-10-22 11:33:25 -05:00
uv-static Optional managed Python archive download cache (#12175) 2025-04-28 12:09:09 +02:00
uv-tool Treat empty UV_TOOL_DIR as unset (#12905) 2025-04-29 16:37:00 -05:00
uv-torch Disallow mixing requirements across PyTorch indexes (#13179) 2025-04-28 20:06:18 +00:00
uv-trampoline Update Rust crate windows to 0.61.0 (#13159) 2025-04-28 13:36:29 +02:00
uv-trampoline-builder Upgrade zip crate to v2 (#12196) 2025-03-16 23:58:11 +00:00
uv-types Use a boxed slice for extras and groups (#12391) 2025-03-22 11:53:36 -04:00
uv-version Bump version to v0.6.17 (#13110) 2025-04-25 12:57:07 -05:00
uv-virtualenv Unset SCRIPT_PATH in relocatable activation script (#12672) 2025-04-07 13:11:47 -05:00
uv-warnings chore: Move all integration tests to a single binary (#8093) 2024-10-11 16:41:35 +02:00
uv-workspace change uv version to be an interface for project version reads and edits (#12349) 2025-04-29 16:37:00 -05:00
README.md Link to Dependency specifiers instead of PEP 508 (#8411) 2024-10-21 14:43:38 -04:00

README.md

Crates

uv-bench

Functionality for benchmarking uv.

uv-cache-key

Generic functionality for caching paths, URLs, and other resources across platforms.

uv-distribution-filename

Parse built distribution (wheel) and source distribution (sdist) filenames to extract structured metadata.

uv-distribution-types

Abstractions for representing built distributions (wheels) and source distributions (sdists), and the sources from which they can be downloaded.

uv-install-wheel-rs

Install built distributions (wheels) into a virtual environment.

uv-once-map

A waitmap-like concurrent hash map for executing tasks exactly once.

uv-pep440-rs

Utilities for interacting with Python version numbers and specifiers.

uv-pep508-rs

Utilities for parsing and evaluating dependency specifiers, previously known as PEP 508.

uv-platform-tags

Functionality for parsing and inferring Python platform tags as per PEP 425.

uv-cli

Command-line interface for the uv package manager.

uv-build-frontend

A PEP 517-compatible build frontend for uv.

uv-cache

Functionality for caching Python packages and associated metadata.

uv-client

Client for interacting with PyPI-compatible HTTP APIs.

uv-dev

Development utilities for uv.

uv-dispatch

A centralized struct for resolving and building source distributions in isolated environments. Implements the traits defined in uv-types.

uv-distribution

Client for interacting with built distributions (wheels) and source distributions (sdists). Capable of fetching metadata, distribution contents, etc.

uv-extract

Utilities for extracting files from archives.

uv-fs

Utilities for interacting with the filesystem.

uv-git

Functionality for interacting with Git repositories.

uv-installer

Functionality for installing Python packages into a virtual environment.

uv-python

Functionality for detecting and leveraging the current Python interpreter.

uv-normalize

Normalize package and extra names as per Python specifications.

uv-requirements

Utilities for reading package requirements from pyproject.toml and requirements.txt files.

uv-resolver

Functionality for resolving Python packages and their dependencies.

uv-shell

Utilities for detecting and manipulating shell environments.

uv-types

Shared traits for uv, to avoid circular dependencies.

uv-pypi-types

General-purpose type definitions for types used in PyPI-compatible APIs.

uv-virtualenv

A venv replacement to create virtual environments in Rust.

uv-warnings

User-facing warnings for uv.

uv-workspace

Workspace abstractions for uv.

uv-requirements-txt

Functionality for parsing requirements.txt files.