We mitigate this attack with the very uninspiring "wait 24h before dep upgrades" solution which is luckily already supported in uv.
We mitigate this attack with the very uninspiring "wait 24h before dep upgrades" solution which is luckily already supported in uv.
Yeah, but uvx has this thing where it can automatically build the latest environment, and pull the latest (unpinned) version, right?