mirror of
https://github.com/astral-sh/setup-uv.git
synced 2026-06-29 06:29:39 +02:00
Zsolt Dollenstein
c86fe4ef1f
This adds a threat model for `setup-uv` so security scanners can use it as a baseline in terms of what's in-, and out of scope. The TM covers credential recipients, executable and cache boundaries, and release authority. It treats checkout-selected interpreters, paths, virtual environments, symlinks, and helpers as delegated project authority unless they override an explicit workflow choice or cross an independent cache, runner, remote, or publication boundary.