uv (python ecosystem)

Bomly uses this chain when it finds uv evidence.

How uv resolves

uv-detector is hybrid (lockfile-first): it parses uv.lock directly and only falls back to uv run --no-sync pip inspect if the lockfile cannot be read.

The --no-sync flag is critical — it stops uv from fetching missing packages, keeping the inspection offline-safe.

Network behavior

✅ Both paths are offline-safe. The lockfile parser reads a committed file; uv run --no-sync reads from the local environment without syncing.

Prerequisites

• One of:
  • A committed uv.lock (strongly recommended), or
  • A uv-managed virtualenv (uv sync has been run).
• pyproject.toml for evidence pattern matching.
• For --install-first: uv on PATH.

--install-first

uv supports --install-first. When passed, Bomly runs uv sync before resolving the graph.

⚠️ --install-first downloads packages from PyPI and writes to the uv-managed virtualenv. Use it on a clean checkout.

bomly scan --install-first

Customizing the install command

Append flags to uv sync with repeatable --install-arg. Requires --detectors uv-detector.

# Refuse to update the lockfile; sync exactly what's locked
bomly scan --install-first --detectors uv-detector \
  --install-arg --frozen

Examples

Fix a direct vulnerability

[project]
dependencies = [
  "requests>=2.32.0",
]

uv lock --upgrade-package requests. Re-scan.

Pin a transitive vulnerability

uv lock --upgrade-package urllib3

Or add a constraint in pyproject.toml:

[tool.uv]
constraint-dependencies = ["urllib3>=2.2.2"]

Re-lock and re-scan.

Reachability (experimental)

Experimental. Reachability is opt-in via --analyze. The feature is stable in shape but may evolve; ecosystem coverage is expanding.

For uv-managed packages, the analyzer is pyreach at Tier-3 (package). See REACHABILITY.md.

Limitations

• uv lockfile format is stable but still evolves; track upstream changes if you pin Bomly versions in CI.
• uv workspaces are scanned per workspace member; each is its own subproject.