The one thing I'm a bit nervous about: security. Thoughts of supply-chain "what-ifs" gives me a bit of pause here. Would like to hear security-minded folks give their thoughts on this.
Hey, we do a couple of things specifically to prevent supply-chain attacks. We use trusted publishing on PyPI, and --exclude newer for uv's package resolution. We also try to use the least amount of dependencies possible. A transitive dependency could in theory still be problematic though, e.g. if there's a supply-chain attack on numpy.
The tool itself is fully local though, so there's no real security risks there, there are no outbound network calls or anything like that.
The tool itself is fully local though, so there's no real security risks there, there are no outbound network calls or anything like that.