Skip to content

QuantumScan

astral-sh/uv

astral-sh/uv
42
risk score
5 findings · 200 files scanned

The repository uses MD5 hashing in its extraction module (crates/uv-extract/src/hash.rs), which is cryptographically broken and vulnerable to collision attacks. While MD5 is used for file integrity verification rather than security-critical authentication, this represents a moderate risk as attackers could potentially craft malicious packages with matching MD5 checksums. The impact is contained to package integrity verification workflows, not authentication or encryption.

Recent findings
FileAlgorithmSeverity
crates/uv-extract/src/hash.rs:21MD5criticalBusiness impact 55
crates/uv-extract/src/hash.rs:33MD5criticalBusiness impact 55
crates/uv-extract/src/hash.rs:45MD5criticalBusiness impact 55
crates/uv-extract/src/hash.rs:46MD5criticalBusiness impact 55
crates/uv-extract/src/hash.rs:11MD5criticalBusiness impact 55
Exposure by language
Rust5 · 100%
Compliance mapping
DORA
Partial
NIS2
OK
NIST PQC
OK
Exports for compliance
Share read-only link

Anyone with this link can view the risk score and top findings — no sign-in required. Source code stays private.

https://quantumscan.io/en/share/468ffad8-dfb9-4623-aa49-c4a9f3149c0e
Add a badge to your README

Show your project's post-quantum readiness in the README. The badge updates automatically after every new scan.

Preview

Post-Quantum Readiness
Markdown
[![Post-Quantum Readiness](https://quantumscan.io/api/badge/astral-sh/uv.svg)](https://github.com/astral-sh/uv)
HTML
<a href="https://github.com/astral-sh/uv"><img src="https://quantumscan.io/api/badge/astral-sh/uv.svg" alt="Post-Quantum Readiness" /></a>

Add badge to your README

Show your quantum-safety score directly on GitHub.

QuantumScan badge preview
[![QuantumScan](https://quantumscan.io/api/badge/astral-sh/uv.svg)](https://quantumscan.io/en/scan/468ffad8-dfb9-4623-aa49-c4a9f3149c0e)

Save your results & track future changes

Create a free account to get drift alerts, compliance PDF exports, and scan history.

  • Weekly drift alerts when new vulnerabilities appear
  • Track risk score over time across all your repos
  • Export DORA / NIS2 compliance PDF for auditors

Free forever for design partners · No credit card