Home / astral-sh / uv
Repository Analysis

astral-sh/uv

An extremely fast Python package and project manager, written in Rust.

2.5 Likely human-written View on GitHub
2.5
Adjusted Score
2.5
Raw Score
100%
Time Factor
2026-05-30
Last Push
85,726
Stars
Rust
Language
497,667
Lines of Code
1089
Files
1288
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 6HIGH 2MEDIUM 37LOW 1243

Pattern Findings

1288 matches across 14 categories. Click a row to expand file-level details.

Over-Commented Block1138 hits · 914 pts
SeverityFileLineSnippet
LOWCargo.toml401# But compile times with `lto = true` are completely untenable:
LOWcrates/uv-auth/src/index.rs21#[serde(rename_all = "kebab-case")]
LOWcrates/uv-auth/src/store.rs61 /// HTTP Basic Authentication
LOWcrates/uv-auth/src/middleware.rs321#[async_trait::async_trait]
LOWcrates/uv-auth/src/middleware.rs341 /// - Perform the request
LOWcrates/uv-auth/src/realm.rs1use std::hash::{Hash, Hasher};
LOWcrates/uv-keyring/tests/common/mod.rs1#![allow(dead_code)] // not all of these utilities are used by all tests
LOWcrates/uv-keyring/src/secret_service.rs101 target: Option<String>,
LOWcrates/uv-keyring/src/secret_service.rs161
LOWcrates/uv-keyring/src/secret_service.rs321 pub async fn get_all_passwords(&self) -> Result<Vec<String>> {
LOWcrates/uv-keyring/src/secret_service.rs381 }
LOWcrates/uv-keyring/src/error.rs21/// without a `SemVer` break. Clients should always have default handling
LOWcrates/uv-keyring/src/error.rs41 NoEntry,
LOWcrates/uv-keyring/src/lib.rs261 ///
LOWcrates/uv-keyring/src/lib.rs301 /// Set the secret for this entry.
LOWcrates/uv-keyring/src/lib.rs321 pub async fn get_password(&self) -> Result<String> {
LOWcrates/uv-keyring/src/lib.rs341 /// that can be set to string values. See the documentation for each credential store
LOWcrates/uv-keyring/src/lib.rs361 /// that aren't supported by that store.
LOWcrates/uv-keyring/src/lib.rs381 /// on some platforms, and then only if a third-party
LOWcrates/uv-keyring/src/credential.rs41 ///
LOWcrates/uv-keyring/src/credential.rs61 }
LOWcrates/uv-keyring/src/credential.rs81 /// Delete the underlying credential, if there is one.
LOWcrates/uv-keyring/src/windows.rs61/// See the module header for the meanings of these fields.
LOWcrates/uv-keyring/src/windows.rs101 /// The new credential replaces any existing one in the store.
LOWcrates/uv-requirements/src/lookahead.rs21/// The lookahead resolver resolves requirements recursively for direct URLs, so that the resolver
LOWcrates/uv-requirements/src/specification.rs1//! Collecting the requirements to compile, sync or install.
LOWcrates/uv-platform/src/libc.rs241 .ok_or_else(|| LibcDetectionError::GlibcExtractionMismatch(ld_path.clone()))?;
LOWcrates/uv-platform/src/arch.rs21 pub(crate) variant: Option<ArchVariant>,
LOWcrates/uv-platform/src/lib.rs221 // Then architecture
LOWcrates/uv-platform/src/cpuinfo.rs21 }
LOWcrates/uv-scripts/src/lib.rs461
LOWcrates/uv-scripts/src/lib.rs481 /// print("Hello, World!")
LOWcrates/uv-scripts/src/lib.rs541 }
LOWcrates/uv-scripts/src/lib.rs561 // Discard any lines after the closing `# ///`.
LOWcrates/uv-scripts/src/lib.rs741 # requires-python = '>=3.11'
LOWcrates/uv-scripts/src/lib.rs841 let contents = indoc::indoc! {r"
LOWcrates/uv-distribution/src/distribution_database.rs41use crate::{Error, LocalWheel, Reporter, RequiresDist};
LOWcrates/uv-distribution/src/distribution_database.rs561 /// instead be enforced by the caller.
LOWcrates/uv-distribution/src/index/built_wheel_index.rs281 /// ```text
LOWcrates/uv-distribution/src/metadata/lowering.rs281 })?
LOW…ates/uv-distribution/src/metadata/dependency_groups.rs21///
LOWcrates/uv-distribution/src/metadata/requires_dist.rs321/// ```toml
LOWcrates/uv-distribution/src/metadata/requires_dist.rs341/// Version: 0.1.0
LOWcrates/uv-pep508/src/verbatim_url.rs21/// A wrapper around [`Url`] that preserves the original string.
LOWcrates/uv-pep508/src/verbatim_url.rs481 #[error("path could not be normalized: {0}")]
LOWcrates/uv-pep508/src/lib.rs1//! A library for [dependency specifiers](https://packaging.python.org/en/latest/specifications/dependency-specifiers/)
LOWcrates/uv-pep508/src/lib.rs121
LOWcrates/uv-pep508/src/lib.rs701///
LOWcrates/uv-pep508/src/lib.rs901 // name_req = name wsp* extras? wsp* versionspec? wsp* quoted_marker?
LOWcrates/uv-pep508/src/unnamed.rs61 }
LOWcrates/uv-pep508/src/unnamed.rs201}
LOWcrates/uv-pep508/src/unnamed.rs341/// Like [`crate::parse_url`], but allows for extras to be present at the end of the URL, to comply
LOWcrates/uv-pep508/src/marker/lowering.rs41/// Critically, any variants that could be involved in a known-incompatible marker pair should
LOWcrates/uv-pep508/src/marker/algebra.rs1//! This module implements marker tree operations using Algebraic Decision Diagrams (ADD).
LOWcrates/uv-pep508/src/marker/algebra.rs21//! Specifically, a marker tree is represented as a Reduced Ordered ADD. An ADD is ordered if
LOWcrates/uv-pep508/src/marker/algebra.rs541 }
LOWcrates/uv-pep508/src/marker/algebra.rs761 // subtle, but since 1) edges is a disjoint covering of the
LOWcrates/uv-pep508/src/marker/algebra.rs821 /// This method thus encodes assumptions about the environment that are not guaranteed by the
LOWcrates/uv-pep508/src/marker/algebra.rs1041/// Variable ordering is an interesting property of ADDs. A bad ordering
LOWcrates/uv-pep508/src/marker/algebra.rs1061 value: ArcStr,
1078 more matches not shown…
Hallucination Indicators6 hits · 60 pts
SeverityFileLineSnippet
CRITICALcrates/uv-client/src/httpcache/mod.rs685 if self.response.headers.cc.max_age_seconds.is_some() {
CRITICALcrates/uv-client/src/httpcache/mod.rs694 if self.config.shared && self.response.headers.cc.s_maxage_seconds.is_some() {
CRITICALcrates/uv-client/src/httpcache/mod.rs731 || self.response.headers.cc.s_maxage_seconds.is_some()
CRITICALcrates/uv-client/src/httpcache/mod.rs856 if let Some(&max_stale) = self.request.headers.cc.max_stale_seconds.as_ref() {
CRITICALcrates/uv-client/src/httpcache/mod.rs926 if let Some(&s_maxage) = self.response.headers.cc.s_maxage_seconds.as_ref() {
CRITICALcrates/uv-client/src/httpcache/mod.rs935 if let Some(&max_age) = self.response.headers.cc.max_age_seconds.as_ref() {
Self-Referential Comments16 hits · 48 pts
SeverityFileLineSnippet
MEDIUMcrates/uv-python/python/packaging/__init__.py1# This file is dual licensed under the terms of the Apache License, Version
MEDIUMtest/requirements/transformers/pyproject.toml1# This file is a translation of
MEDIUMscripts/uv-run-remote-script-test.py1# This file is used to test `uv run <url>` in ../crates/uv/tests/run.rs
MEDIUMscripts/update_schemastore.py34 # Create a new branch tagged with the current uv commit up to date with the latest
MEDIUMscripts/check_embedded_python.py23 # Create a temporary directory.
MEDIUMscripts/check_embedded_python.py25 # Create a virtual environment with `uv`.
MEDIUMscripts/check_cache_compat.py122 # Create a temporary directory.
MEDIUMscripts/check_system_python.py134 # Create a temporary directory.
MEDIUMscripts/check_system_python.py189 # Create a virtual environment with `uv`.
MEDIUMscripts/benchmark/src/benchmark/resolver.py356 # Create a Poetry project.
MEDIUMscripts/benchmark/src/benchmark/resolver.py640 # Create a PDM project.
MEDIUMscripts/benchmark/src/benchmark/resolver.py1037 # Create a Poetry project.
MEDIUMscripts/smoke-test/commands.sh10# Create a virtual environment and install a package with `uv pip`
MEDIUM.github/workflows/release.yml303 # Create a GitHub Release while uploading all files to it
MEDIUM.github/workflows/release.yml329 # Create a GitHub Release while uploading all files to it
MEDIUM.github/workflows/build-docker.yml283 # Initialize a variable to store all tag docker metadata patterns
Unused Imports42 hits · 42 pts
SeverityFileLineSnippet
LOWcrates/uv-build/python/uv_build/__init__.py21
LOWcrates/uv-build/python/uv_build/__init__.py21
LOWcrates/uv-build/python/uv_build/__init__.py22
LOWcrates/uv-virtualenv/src/activator/activate_this.py31
LOWcrates/uv-python/python/get_interpreter_info.py654
LOWcrates/uv-python/python/packaging/_manylinux.py8
LOW…ed/excluded/bird-feeder/check_installed_bird_feeder.py1
LOW…ed/excluded/bird-feeder/check_installed_bird_feeder.py4
LOW…luded/excluded/bird-feeder/src/bird_feeder/__init__.py1
LOW…oject-in-excluded/packages/seeds/src/seeds/__init__.py1
LOW…lbatross-project-in-excluded/src/albatross/__init__.py1
LOW…ce/packages/bird-feeder/check_installed_bird_feeder.py1
LOW…ce/packages/bird-feeder/check_installed_bird_feeder.py4
LOW…space/packages/bird-feeder/src/bird_feeder/__init__.py1
LOW…ss-root-workspace/packages/seeds/src/seeds/__init__.py1
LOW…ces/albatross-root-workspace/src/albatross/__init__.py1
LOW…ce/packages/bird-feeder/check_installed_bird_feeder.py1
LOW…ce/packages/bird-feeder/check_installed_bird_feeder.py4
LOW…space/packages/bird-feeder/src/bird_feeder/__init__.py1
LOW…virtual-workspace/packages/seeds/src/seeds/__init__.py1
LOW…workspace/packages/albatross/src/albatross/__init__.py1
LOW…aces/albatross-in-example/check_installed_albatross.py4
LOW…le/examples/bird-feeder/check_installed_bird_feeder.py1
LOW…le/examples/bird-feeder/check_installed_bird_feeder.py4
LOW…ample/examples/bird-feeder/src/bird_feeder/__init__.py1
LOW…kspaces/albatross-in-example/src/albatross/__init__.py1
LOW…deptry_reproducer/python/deptry_reproducer/__init__.py1
LOW…ges/built-by-uv/src/built_by_uv/arithmetic/__init__.py1
LOWpython/uv/_find_uv.py1
LOWpython/uv/__init__.py1
LOWpython/uv/__init__.py3
LOWscripts/publish-crates.py12
LOWscripts/update_schemastore.py8
LOWscripts/sync-python-version-constants.py19
LOWscripts/check_cache_compat.py7
LOWscripts/vendor-packaging.py16
LOWscripts/check_system_python.py126
LOWscripts/generate-known-stdlib.py8
LOWscripts/transform_readme.py8
LOWscripts/patch-dist-manifest-checksums.py10
LOWscripts/check-trampoline-version-consistency.py12
LOWscripts/setup-crates-io-publish.py25
Decorative Section Separators9 hits · 40 pts
SeverityFileLineSnippet
MEDIUMcrates/uv-types/src/traits.rs68/// ┌────────────────┐
MEDIUMcrates/uv-types/src/traits.rs70/// └───────▲────────┘
MEDIUMcrates/uv-types/src/traits.rs73/// ┌───────┴────────┐
MEDIUMcrates/uv-types/src/traits.rs74/// ┌─────────►│ uv-dispatch │◄─────────┐
MEDIUMcrates/uv-types/src/traits.rs75/// │ └───────▲────────┘ │
MEDIUMcrates/uv-types/src/traits.rs78/// ┌───────┴────────┐ ┌───────┴────────┐ ┌────────┴────────────────┐
MEDIUMcrates/uv-types/src/traits.rs80/// └───────▲────────┘ └───────▲────────┘ └────────▲────────────────┘
MEDIUMcrates/uv-types/src/traits.rs82/// └─────────────┐ │ ┌──────────────┘
MEDIUMcrates/uv-types/src/traits.rs85/// └────────────────┘
AI Slop Vocabulary11 hits · 32 pts
SeverityFileLineSnippet
MEDIUMcrates/uv-distribution-types/src/any.rs75/// Like [`InstalledVersion`], but with [`CanonicalUrl`] to ensure robust URL comparisons.
MEDIUMcrates/uv-client/src/httpcache/mod.rs254 /// whether a new request can utilize a cached response or not. This is
MEDIUMcrates/uv-extract/src/stream.rs520 // that leverage this feature anyway.
MEDIUMcrates/uv-windows/src/exception.rs37/// halfway through a Rust operation. It needs to be robust to operating with unknown program
MEDIUMcrates/uv/tests/it/init.rs1937 // robust to errors in discovery.
MEDIUMcrates/uv-trampoline/src/bounce.rs198/// PEP 405 specifies a more robust procedure (checking both the parent and grandparent
MEDIUMcrates/uv-trampoline/src/bounce.rs434 // See also <https://github.com/astral-sh/uv/pull/18170> which explores a more robust solution
MEDIUMcrates/uv-build-frontend/src/lib.rs741 // allow us to leverage the hook in _most_ cases while still avoiding incorrect metadata for
MEDIUMcrates/uv-python/src/environment.rs329 // should be generally robust.
MEDIUMcrates/uv-python/src/interpreter.rs156 /// This routine mimics the CPython `getpath.py` logic in order to make a more robust assessment
LOWpython/uv/__main__.py12 # If it's already set, then just use it
Hyper-Verbose Identifiers20 hits · 22 pts
SeverityFileLineSnippet
LOWcrates/uv-build/python/uv_build/__init__.py92def get_requires_for_build_sdist(
LOWcrates/uv-build/python/uv_build/__init__.py100def get_requires_for_build_wheel(
LOWcrates/uv-build/python/uv_build/__init__.py108def prepare_metadata_for_build_wheel(
LOWcrates/uv-build/python/uv_build/__init__.py128def get_requires_for_build_editable(
LOWcrates/uv-build/python/uv_build/__init__.py136def prepare_metadata_for_build_editable(
LOWcrates/uv/tests/it/sync.rs6153 def prepare_metadata_for_build_editable(metadata_directory, config_settings=None):
LOWcrates/uv-python/python/get_interpreter_info.py110def _running_under_legacy_virtualenv() -> bool:
LOWcrates/uv-python/python/get_interpreter_info.py283 def _should_use_osx_framework_prefix() -> bool:
LOWcrates/uv-python/python/get_interpreter_info.py420def get_operating_system_and_architecture():
LOWcrates/uv-python/python/packaging/_manylinux.py83def _glibc_version_string_confstr() -> "str | None":
LOWcrates/uv-python/python/packaging/_manylinux.py102def _glibc_version_string_ctypes() -> "str | None":
LOWscripts/publish-crates.py110def build_cargo_publish_command(
LOWscripts/create-python-mirror.py65def collect_metadata_from_git_history() -> List[Dict]:
LOWscripts/check-trampoline-version-consistency.py21def get_locked_windows_version(lockfile_path: Path) -> str | None:
LOWscripts/setup-crates-io-publish.py114def load_workspace_package_metadata() -> dict[str, object]:
LOWscripts/setup-crates-io-publish.py123def publish_placeholder_crate(
LOWscripts/setup-crates-io-publish.py248def handle_trusted_publisher_error(exc: httpx.HTTPStatusError) -> None:
LOWscripts/publish/test_publish.py287def check_index_for_provenance(
LOWscripts/publish/test_publish.py562def test_reupload_with_check_url(
LOWscripts/publish/test_publish.py630def test_reupload_modified_files(
Verbosity Indicators12 hits · 18 pts
SeverityFileLineSnippet
LOWcrates/uv-publish/src/lib.rs750 // Step 1: Reserve an upload slot.
LOWcrates/uv-publish/src/lib.rs805 // Step 2: Upload the file directly to S3 (if needed).
LOWcrates/uv-publish/src/lib.rs909 // Step 3: Finalize the upload.
LOWcrates/uv/tests/it/pip_install.rs15104 // Step 1: Install as editable first.
LOWcrates/uv/tests/it/pip_install.rs15120 // Step 2: Use `--no-sources`; we should retain the package.
LOWcrates/uv/tests/it/sync.rs16664 // Step 1: `uv sync --no-sources` should install `anyio` from PyPI.
LOWcrates/uv/tests/it/sync.rs16680 // Step 2: `uv sync` should switch to an editable installation.
LOWcrates/uv/tests/it/sync.rs16697 // Step 3: `uv sync --no-sources` again should switch back to PyPI package.
LOWcrates/uv/src/commands/pip/tree.rs239 // Step 1: Add each installed package.
LOWcrates/uv/src/commands/pip/tree.rs253 // Step 2: Add all dependencies.
LOWcrates/uv/src/commands/pip/tree.rs287 // Step 2: Reverse the graph.
LOWcrates/uv/src/commands/pip/tree.rs292 // Step 3: Filter the graph to those nodes reachable from the target packages.
Synthetic Comment Markers2 hits · 15 pts
SeverityFileLineSnippet
HIGHdist-workspace.toml57# Whether CI should include auto-generated code to build local artifacts
HIGHcrates/uv-types/src/requirements.rs32/// A set of requirements as requested by a parent requirement.
Example Usage Blocks9 hits · 14 pts
SeverityFileLineSnippet
LOWscripts/publish-crates.py8# Usage:
LOWscripts/install-cargo-extensions.sh8## Usage:
LOWscripts/check-release-artifact-sboms.sh7## Usage:
LOWscripts/codesign-macos.sh5# Usage:
LOWscripts/nextest-setup-hook-unix.sh7# Usage:
LOWscripts/apply-ci-snapshots.sh4# Usage:
LOWscripts/cargo.sh6## Usage:
LOWscripts/sync_scenarios.sh5# Usage:
LOWscripts/setup-crates-io-publish.py16# Usage:
Deep Nesting10 hits · 10 pts
SeverityFileLineSnippet
LOWcrates/uv-virtualenv/src/_virtualenv.py50
LOWcrates/uv-python/fetch-download-metadata.py218
LOWcrates/uv-python/fetch-download-metadata.py572
LOWcrates/uv-python/fetch-download-metadata.py678
LOWcrates/uv-python/python/get_interpreter_info.py420
LOWcrates/uv-python/python/packaging/_manylinux.py214
LOWscripts/registries-test.py69
LOWscripts/registries-test.py170
LOWscripts/setup-crates-io-publish.py276
LOWscripts/publish/test_publish.py717
Excessive Try-Catch Wrapping7 hits · 9 pts
SeverityFileLineSnippet
MEDIUMcrates/uv/tests/it/run.rs4494 print(f"Error: Expected pythonw.exe but got: {executable}", file=sys.stderr)
LOWscripts/registries-test.py257 except Exception as e:
LOWscripts/registries-test.py339 except Exception as e:
MEDIUMscripts/repair-sdist-cargo-lock.py26 print(f"Error: {sdist_path} is not a valid tar file", file=sys.stderr)
LOWscripts/create-python-mirror.py87 except Exception as e:
LOWscripts/create-python-mirror.py183 except Exception as e:
LOWscripts/create-python-mirror.py287 except Exception as e:
Redundant / Tautological Comments4 hits · 5 pts
SeverityFileLineSnippet
LOWscripts/update_schemastore.py70 # Check if the schema has changed
LOWscripts/nextest-setup-hook-unix.sh18# Set UV_TEST_CODESIGN_IDENTITY to enable signing. See `scripts/codesign-macos.sh`.
LOWscripts/apply-ci-snapshots.sh83# Check if any artifacts were downloaded
LOWscripts/generate-crate-readmes.py123 # Check if README already exists
Fake / Example Data2 hits · 2 pts
SeverityFileLineSnippet
LOWcrates/uv/tests/it/build_backend.rs1258 {name = "Jane Doe", email = "jane@example.com"},
LOWcrates/uv/tests/it/build_backend.rs1259 {name = "John Doe"},