Two new security features for uv:

- uv audit is a new command that scans your dependencies for known vulnerabilities and "adverse" project statuses (such as being deprecated)

- uv add, uv sync, etc. can now perform a lightweight OSV-based lookup for previously-resolved malware on every sync operation, try it by setting UV_MALWARE_CHECK=1

Both are in preview, considered unstable, and there may be breaking changes…

• • •

Meanwhile, don't forget uv's exclude-newer cooldown: https://docs.astral.sh/uv/reference/settings/#exclude-newer

  # pyproject.toml
  [tool.uv]
  exclude-newer = "P3D"  # "3 days" in RFC 3339 format

Or use it with uv pip compile to generate pinned requirements with cooldown:

  $ uv pip compile --exclude-newer "3 days" requirements.in -o requirements.txt