Research whether uv.lock support belongs in CVE Lite CLI or warrants a separate product.
Background
uv is rapidly becoming the default Python package manager for modern Python projects. uv.lock is its lockfile format. A DINUM (French government) user running CVE Lite CLI across government digital service repositories requested Python lockfile scanning.
Questions to answer
- Does adding Python/uv.lock support fit the CVE Lite CLI product identity (currently JS/TS focused) or does it dilute it?
- Would a separate
cve-lite-cli-python (or similar) be a better home?
- What would the OSV query surface look like for Python packages vs npm packages?
- Are there existing tools in the Python ecosystem this would compete with or complement (pip-audit, Safety)?
- What is the effort to parse uv.lock vs the JS/TS lockfile formats already supported?
Motivation
Requested by a DINUM (French government) user. No implementation commitment yet - this issue is to scope the decision first.
If you would like to see Python/uv.lock support, please give this issue a 👍 - it helps us prioritize.
Research whether uv.lock support belongs in CVE Lite CLI or warrants a separate product.
Background
uv is rapidly becoming the default Python package manager for modern Python projects.
uv.lockis its lockfile format. A DINUM (French government) user running CVE Lite CLI across government digital service repositories requested Python lockfile scanning.Questions to answer
cve-lite-cli-python(or similar) be a better home?Motivation
Requested by a DINUM (French government) user. No implementation commitment yet - this issue is to scope the decision first.
If you would like to see Python/uv.lock support, please give this issue a 👍 - it helps us prioritize.