uv now embeds native vulnerability scanning and optional malware detection at sync time, replacing separate audit tooling with lockfile-aware context.
July 1, 2026
Summary
Vulnerability scanning shifts from discrete CI step to inline workflow integration, catching malware before installation and reducing alert fatigue by binding checks to dependency resolution. Lockfile-aware audits leverage uv's already-resolved graph for speed.
Why it matters
Vulnerability scanning shifts from discrete CI step to inline workflow integration, catching malware before installation and reducing alert fatigue by binding checks to dependency resolution. Lockfile-aware audits leverage uv's already-resolved graph for speed.
Implementation verdict
uv audit replaces pip-audit for most projects; malware checking is opt-in via UV_MALWARE_CHECK=1 env var. Both features in preview—design unstable, breaking changes possible. Worth testing now if using uv, but wait for stable release before CI-critical workflows. Malware check requires no code changes but detection is best-effort (OSV-indexed only).
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.