uv audit: add context/warnings for ignored vulnerabilities by woodruffw · Pull Request #18905 · astral-sh/uv

woodruffw · 2026-04-07T16:05:19Z

Summary

This makes two small QoL changes to uv audit:

We now warn the user if they ignore (via CLI or config) a vulnerability ID, but that ID doesn't actually match any known vulnerabilities discovered during the audit. This can happen due to drift (e.g. the user upgrades but forgets to removed a stale ID) or user error (the user typos a vulnerability ID).
We now ignore the number of ignored vulnerabilities as a statistic in the output. In practice, this means users will see something like "5 vulnerabilities (2 ignored)" in the header of uv audit's output if they ignore vulnerabilities.

Added integration tests for the new behavior.

Signed-off-by: William Woodruff <william@astral.sh>

uv audit: add context/warnings for ignored vulnerabilities

f2194e6

Signed-off-by: William Woodruff <william@astral.sh>

woodruffw self-assigned this Apr 7, 2026

woodruffw added enhancement New feature or improvement to existing functionality preview Experimental behavior labels Apr 7, 2026

woodruffw requested a review from konstin April 7, 2026 16:05

woodruffw mentioned this pull request Apr 7, 2026

Roadmap: uv audit #18506

Open

23 tasks