|
|
|
|
|
|
by Bibabomas
27 days ago
|
|
|
Hey, we do a couple of things specifically to prevent supply-chain attacks. We use trusted publishing on PyPI, and --exclude newer for uv's package resolution. We also try to use the least amount of dependencies possible. A transitive dependency could in theory still be problematic though, e.g. if there's a supply-chain attack on numpy. The tool itself is fully local though, so there's no real security risks there, there are no outbound network calls or anything like that. |
|
|