Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 4.63s · analysis 10.16s · 27.9 MB · GitHub API rate-limit (preflight)

astral-sh/uv

https://github.com/astral-sh/uv · scanned 2026-05-31 01:25 UTC (5 days, 7 hours ago) · 10 languages

493 findings (142 legacy + 351 scanner) 11/13 scanners ran 60th percentile · Rust · huge (>500K LoC) Scanner says 73 (higher by 11)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 320 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
77.4
/100
Repobility
81
142 legacy
9-layer
73
100.0% cov · 178 gaps
Critical
37
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 84.0 0.20 16.80
documentation_score 100.0 0.15 15.00
practices_score 100.0 0.15 15.00
code_quality 35.0 0.10 3.50
Overall 1.00 84.3
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 37 High 94 Medium 27 Low 128 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 142 9-layer 178 Crowd 0 Layer: Quality 222 Software 51 Cicd 10 Security 30 Api 1 Network 2 Hardware 3 Frontend 1
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 73.4/100 with 100.0% coverage. It contains 1976 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 178 findings — concentrated in quality (121), security (26), software (18). Risk profile is high: 26 critical, 0 high, 24 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 272 of 320 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
crates/uv-configuration/src/proxy_url.rs:169 qualitylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.GITLAB_TEST_PUBLISH_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GITLAB_TEST_PUBLISH_ACCESS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:353 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.GITLAB_TEST_PUBLISH_TRIGGER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GITLAB_TEST_PUBLISH_TRIGGER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:352 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_CLOUDSMITH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_CLOUDSMITH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:407 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_CODEBERG_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_CODEBERG_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:406 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_GITLAB_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_GITLAB_PAT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:405 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_KEYRING` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_KEYRING }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:390 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:404 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_PYX_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_PYX_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:408 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_TEXT_STORE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_TEXT_STORE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:396 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:403 dependencylegacy
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1048 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1094 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1208 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1249 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1297 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1337 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1380 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1445 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1510 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:1541 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:2231 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:2326 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:2422 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:2536 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:2568 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/middleware.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/middleware.rs:2591 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-auth/src/store.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-auth/src/store.rs:493 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-client/src/registry_client.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-client/src/registry_client.rs:1739 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-client/src/registry_client.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-client/src/registry_client.rs:1795 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-client/src/registry_client.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-client/src/registry_client.rs:1845 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-keyring/src/mock.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-keyring/src/mock.rs:286 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-keyring/src/secret_service.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-keyring/src/secret_service.rs:64 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-keyring/src/secret_service.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-keyring/src/secret_service.rs:801 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv-keyring/src/windows.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv-keyring/src/windows.rs:759 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv/src/commands/auth/login.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv/src/commands/auth/login.rs:142 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/uv/src/commands/publish.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/uv/src/commands/publish.rs:598 secrets
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/uv-virtualenv/src/_virtualenv.py:80 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
.claude/hooks/post-edit-format.py:22 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
crates/uv-platform/src/cpuinfo.rs:71 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
crates/uv-extract/src/hash.rs:11 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
python/uv/__main__.py:43 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.
Review and fix per the pattern semantics. See CWE-1188 / for context.
crates/uv/src/commands/build_backend.rs:56 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.
Review and fix per the pattern semantics. See CWE-1188 / for context.
crates/uv-resolver/src/dependency_provider.rs:30 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.
Review and fix per the pattern semantics. See CWE-1188 / for context.
crates/uv-macros/src/lib.rs:32 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_file: Test function `test_file` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
scripts/scenarios/generate.py:84 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.install_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_cold`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.install_cold = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:102 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.install_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_cold`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.install_cold = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/tools.py:36 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.install_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_warm`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.install_warm = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:104 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.install_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_warm`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.install_warm = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/tools.py:38 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.name` used but never assigned in __init__: Method `template_file` of class `TemplateKind` reads `self.name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.name = <default>` in __init__, or add a class-level default.
scripts/scenarios/generate.py:82 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.resolve_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_cold`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.resolve_cold = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:94 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.resolve_incremental` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_incremental`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.resolve_incremental = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:98 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.resolve_noop` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_noop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.resolve_noop = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:100 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.resolve_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_warm`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.resolve_warm = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:96 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.run` used but never assigned in __init__: Method `command` of class `Suite` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.run = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/tools.py:40 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `install_cold` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:775 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `install_cold` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:536 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `install_warm` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:810 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `install_warm` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:581 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:661 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:389 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `UvProject` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:1058 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_incremental` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:700 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_incremental` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:443 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_noop` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:745 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_noop` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:499 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:678 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:416 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `UvProject` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.setup = <default>` in __init__, or add a class-level default.
scripts/benchmark/src/benchmark/resolver.py:1079 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.value` used but never assigned in __init__: Method `test_file` of class `TemplateKind` reads `self.value`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.value = <default>` in __init__, or add a class-level default.
scripts/scenarios/generate.py:85 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
crates/uv-dev/builder.dockerfile:3 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `quay.io/pypa/manylinux2014` unpinned: `container/services image: quay.io/pypa/manylinux2014` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `quay.io/pypa/manylinux2014@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/build-release-binaries.yml:361 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/abravalheri/validate-pyproject` pinned to mutable rev `v0.24.1`: `.pre-commit-config.yaml` references `https://github.com/abravalheri/validate-pyproject` at `rev: v0.24.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:9 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.14.14`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.14.14`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:45 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/crate-ci/typos` pinned to mutable rev `v1.42.3`: `.pre-commit-config.yaml` references `https://github.com/crate-ci/typos` at `rev: v1.42.3`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:13 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.exe` is a .exe binary (45,568 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe` is a .exe binary (46,592 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe` is a .exe binary (37,888 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` is a .exe binary (38,912 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe` is a .exe binary (45,056 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe` is a .exe binary (46,080 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe:1 dependencylegacy
high Legacy security injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
scripts/update_schemastore.py:38 injectionlegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
scripts/publish-crates.py:80 path_traversallegacy
high Legacy quality quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
scripts/repair-sdist-cargo-lock.py:32 qualitylegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
scripts/sync-python-version-constants.py:81 injectionlegacy
high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
crates/uv-trampoline/Dockerfile:38 dockerlegacy
medium Legacy security path_traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
scripts/repair-sdist-cargo-lock.py:32 path_traversallegacy
medium Legacy quality quality Average file size is 739 lines (recommend <300)
Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.
qualitylegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
crates/uv-trampoline/Dockerfile:63 dockerlegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/reference/installer.md:57 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/getting-started/installation.md:16 dependencylegacy
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: crates/uv-trampoline/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/publish-crates.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/publish-pypi.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/sync-python-releases.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/build-docker.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/ci.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-prepare.yml supply-chaingithub-actionsleast-privilege
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — crates/uv-build/python/uv_build/__init__.py:54
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — crates/uv-python/python/packaging/_musllinux.py:50
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/bump-workspace-crate-versions.py:54
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/check_cache_compat.py:35
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/check_embedded_python.py:27
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/check_registry.py:157
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/check_system_python.py:23
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/generate-crate-readmes.py:57
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/publish-crates.py:45
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/registries-test.py:80
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/repair-sdist-cargo-lock.py:57
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/setup-crates-io-publish.py:60
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/smoke-test/__main__.py:31
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/vendor-packaging.py:44
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer network security conf 1.00 Privileged port 256 in use
Port 256 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
crates/uv-trampoline/Dockerfile securityports
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
crates/uv-trampoline/Dockerfile:28 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv/src/commands/pip/install.rs:226 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv/src/commands/pip/install.rs:158 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv/src/commands/cache_prune.rs:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv/src/commands/auth/token.rs:32 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-resolver/src/resolver/reporter.rs:15 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-resolver/src/resolver/environment.rs:412 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-resolver/src/lock/tree.rs:79 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-resolver/src/lock/installable.rs:104 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-requirements/src/unnamed.rs:28 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-requirements/src/source_tree.rs:71 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-requirements/src/lookahead.rs:33 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-pypi-types/src/metadata/requires_dist.rs:37 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-publish/src/trusted_publishing/pyx.rs:35 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-platform-tags/src/platform.rs:110 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-platform-tags/src/language_tag.rs:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-normalize/src/package_name.rs:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-normalize/src/lib.rs:128 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-keyring/src/windows.rs:498 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-installer/src/satisfies.rs:386 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-keyring/src/windows.rs:490 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-keyring/src/secret_service.rs:438 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-keyring/src/mock.rs:154 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-install-wheel/src/uninstall.rs:312 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-distribution/src/metadata/requires_dist.rs:190 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-distribution/src/metadata/requires_dist.rs:152 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-dev/src/generate_sysconfig_mappings.rs:50 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-dev/src/generate_sysconfig_mappings.rs:28 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-dev/src/generate_options_reference.rs:25 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-dev/src/generate_options_reference.rs:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/uv-configuration/src/sources.rs:30 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
crates/uv/src/commands/self_update.rs:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
crates/uv/src/commands/cache_clean.rs:1 qualitylegacy
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: crates/uv-installer/src/pip_compileall.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: crates/uv-virtualenv/src/activator/activate_this.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/check_embedded_python.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/uv-run-remote-script-test.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/packages/built-by-uv/data-dir/build-script.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/packages/deptry_reproducer/python/deptry_reproducer/foo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/packages/setup_cfg_editable/setup.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/packages/setup_py_editable/setup.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-dependency-rainbow/check_installed_albatross.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-in-example/check_installed_albatross.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-in-example/examples/bird-feeder/check_installed_bird_feeder.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-just-project/check_installed_albatross.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-project-in-excluded/excluded/bird-feeder/check_installed_bird_feeder.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-root-workspace/check_installed_albatross.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-root-workspace/packages/bird-feeder/check_installed_bird_feeder.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-virtual-workspace/packages/albatross/check_installed_albatross.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/workspaces/albatross-virtual-workspace/packages/bird-feeder/check_installed_bird_feeder.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `x86_64_v2` in crates/uv-python/fetch-download-metadata.py:83
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality tests conf 1.00 Low test-to-source ratio
129 tests / 545 src (ratio 0.24).
tests
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 10 places
Functions with the same first-5-line body hash: scripts/benchmark/src/benchmark/tools.py:install_cold, scripts/benchmark/src/benchmark/tools.py:install_cold, scripts/benchmark/src/benchmark/tools.py:install_cold, scripts/benchmark/src/benchmark/resolver.py:resolve_cold This is *the* AI-coder failu…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 10 places
Functions with the same first-5-line body hash: scripts/benchmark/src/benchmark/tools.py:install_warm, scripts/benchmark/src/benchmark/tools.py:install_warm, scripts/benchmark/src/benchmark/tools.py:install_warm, scripts/benchmark/src/benchmark/resolver.py:resolve_warm This is *the* AI-coder failu…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 14 places
Functions with the same first-5-line body hash: scripts/benchmark/src/benchmark/resolver.py:install_cold, scripts/benchmark/src/benchmark/resolver.py:install_warm, scripts/benchmark/src/benchmark/resolver.py:install_cold, scripts/benchmark/src/benchmark/resolver.py:install_warm This is *the* AI-co…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: test/packages/flit_editable/flit_editable/__init__.py:main, test/packages/black_editable/black/__init__.py:main This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/benchmark/src/benchmark/tools.py:main, scripts/benchmark/src/benchmark/resolver.py:main This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're sep…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: test/workspaces/albatross-in-example/src/albatross/__init__.py:fly, test/workspaces/albatross-virtual-workspace/packages/albatross/src/albatross/__init__.py:fly, test/workspaces/albatross-root-workspace/src/albatross/__init__.py:fly This is *the* AI-…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: test/workspaces/albatross-virtual-workspace/packages/seeds/src/seeds/__init__.py:seeds, test/workspaces/albatross-root-workspace/packages/seeds/src/seeds/__init__.py:seeds, test/workspaces/albatross-project-in-excluded/packages/seeds/src/seeds/__init_…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scripts/benchmark/src/benchmark/tools.py:run, scripts/benchmark/src/benchmark/tools.py:run, scripts/benchmark/src/benchmark/tools.py:run This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene)…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scripts/benchmark/src/benchmark/resolver.py:setup, scripts/benchmark/src/benchmark/resolver.py:setup, scripts/benchmark/src/benchmark/resolver.py:setup This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/a…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: crates/uv-python/fetch-download-metadata.py:key, crates/uv-python/fetch-download-metadata.py:key, crates/uv-python/fetch-download-metadata.py:key This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: test/workspaces/albatross-in-example/examples/bird-feeder/src/bird_feeder/__init__.py:use, test/workspaces/albatross-virtual-workspace/packages/bird-feeder/src/bird_feeder/__init__.py:use, test/workspaces/albatross-root-workspace/packages/bird-feeder/…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: test/workspaces/albatross-just-project/src/albatross/__init__.py:fly, test/workspaces/albatross-dependency-rainbow/src/albatross/__init__.py:fly, test/packages/setuptools_editable/setuptools_editable/__init__.py:a, test/packages/root_editable/root_edi…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: crates/uv-python/fetch-download-metadata.py:find, crates/uv-python/fetch-download-metadata.py:find, crates/uv-python/fetch-download-metadata.py:find, crates/uv-python/fetch-download-metadata.py:find This is *the* AI-coder failure mode (4× more duplic…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 7 places
Functions with the same first-5-line body hash: scripts/benchmark/src/benchmark/resolver.py:resolve_incremental, scripts/benchmark/src/benchmark/resolver.py:resolve_incremental, scripts/benchmark/src/benchmark/resolver.py:resolve_incremental, scripts/benchmark/src/benchmark/resolver.py:resolve_incr…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 7 places
Functions with the same first-5-line body hash: scripts/benchmark/src/benchmark/resolver.py:resolve_noop, scripts/benchmark/src/benchmark/resolver.py:resolve_noop, scripts/benchmark/src/benchmark/resolver.py:resolve_noop, scripts/benchmark/src/benchmark/resolver.py:resolve_noop This is *the* AI-co…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: sort_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
crates/uv-python/fetch-download-metadata.py:722 dead-code
low 9-layer quality integrity conf 1.00 Stub function `a` (body is just `pass`/`return`) — test/packages/setuptools_editable/setuptools_editable/__init__.py:1
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `fly` (body is just `pass`/`return`) — test/workspaces/albatross-dependency-rainbow/src/albatross/__init__.py:1
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `fly` (body is just `pass`/`return`) — test/workspaces/albatross-in-example/src/albatross/__init__.py:4
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `fly` (body is just `pass`/`return`) — test/workspaces/albatross-just-project/src/albatross/__init__.py:1
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `fly` (body is just `pass`/`return`) — test/workspaces/albatross-root-workspace/src/albatross/__init__.py:5
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `fly` (body is just `pass`/`return`) — test/workspaces/albatross-virtual-workspace/packages/albatross/src/albatross/__init__.py:5
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `func` (body is just `pass`/`return`) — test/packages/hatchling_editable/hatchling_editable/__init__.py:1
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `func` (body is just `pass`/`return`) — test/packages/root_editable/root_editable/__init__.py:1
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-auth/src/middleware.rs (2719 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-build-backend/src/lib.rs (2147 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-build-backend/src/metadata.rs (2186 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-cache/src/lib.rs (1466 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-cli/src/lib.rs (8337 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-client/src/html.rs (2062 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-client/src/httpcache/mod.rs (1400 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-client/src/registry_client.rs (2193 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-distribution-types/src/lib.rs (1803 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-distribution/src/distribution_database.rs (1535 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-distribution/src/source/mod.rs (3656 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-fs/src/link.rs (1996 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-install-wheel/src/wheel.rs (1424 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-pep440/src/version.rs (4725 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-pep440/src/version_specifier.rs (2176 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-pep508/src/lib.rs (1884 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-pep508/src/marker/algebra.rs (1857 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-pep508/src/marker/tree.rs (3552 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-platform-tags/src/tags.rs (2917 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-publish/src/lib.rs (2365 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-python/src/discovery.rs (4617 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-python/src/downloads.rs (2439 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-python/src/interpreter.rs (1451 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-python/src/lib.rs (3109 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-python/src/managed.rs (1394 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-requirements-txt/src/lib.rs (3002 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-resolver/src/error.rs (1523 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-resolver/src/lock/export/pylock_toml.rs (1797 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-resolver/src/lock/mod.rs (7333 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-resolver/src/pubgrub/report.rs (2439 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-resolver/src/resolver/mod.rs (4268 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-settings/src/settings.rs (2767 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-static/src/env_vars.rs (1463 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-test/src/lib.rs (2471 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-torch/src/backend.rs (1471 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-workspace/src/pyproject.rs (2042 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-workspace/src/pyproject_mut.rs (2219 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv-workspace/src/workspace.rs (2967 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/commands/project/add.rs (1506 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/commands/project/init.rs (1456 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/commands/project/lock.rs (1619 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/commands/project/mod.rs (3054 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/commands/project/run.rs (2176 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/commands/project/sync.rs (1550 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/commands/python/install.rs (1354 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/lib.rs (2905 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/src/settings.rs (4875 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/audit.rs (2348 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/auth.rs (2318 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/build.rs (2985 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/edit.rs (15607 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/export.rs (9750 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/help.rs (1257 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/init.rs (4226 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/lock_exclude_newer_relative.rs (1595 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/lock_scenarios.rs (5588 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/pip_compile.rs (18643 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/pip_install.rs (16157 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/pip_install_scenarios.rs (4482 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/pip_sync.rs (6543 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/python_install.rs (4702 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/run.rs (7090 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/show_settings.rs (12246 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/sync.rs (17353 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/tool_install.rs (6013 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/tool_run.rs (3975 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/tool_upgrade.rs (1683 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/tree.rs (2358 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/venv.rs (2081 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/version.rs (3320 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/workspace.rs (2401 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/uv/tests/it/workspace_metadata.rs (1558 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: scripts/benchmark/src/benchmark/resolver.py (1478 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/uv-configuration/src/trusted_host.rs:97 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/uv-configuration/src/proxy_url.rs:66 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/uv-auth/src/realm.rs:279 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/uv-requirements/src/lookahead.rs:155 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/uv-keyring/src/error.rs:88 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/uv-extract/src/lib.rs:142 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/bee51646-a8dc-410c-9ffa-753bd32e1390/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/bee51646-a8dc-410c-9ffa-753bd32e1390/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.