mirror of
https://github.com/astral-sh/setup-uv.git
synced 2026-06-28 17:00:43 +00:00
c86fe4ef1f
This adds a threat model for `setup-uv` so security scanners can use it as a baseline in terms of what's in-, and out of scope. The TM covers credential recipients, executable and cache boundaries, and release authority. It treats checkout-selected interpreters, paths, virtual environments, symlinks, and helpers as delegated project authority unless they override an explicit workflow choice or cross an independent cache, runner, remote, or publication boundary.
275 B
275 B
Security policy
Report suspected vulnerabilities according to Astral's security policy.
For this repository's security boundaries and reporting criteria, see the setup-uv threat model.