Skip to content

Jupyter Notebook code review fix: uv install version pinning  #3

Open
Task
Open
Jupyter Notebook code review fix: uv install version pinning #3
Task
Assignees
tiffehr
Labels
enhancementNew feature or request
Milestone
Launch
@tiffehr

Description

@tiffehr
tiffehr
opened on Mar 27, 2026

Piping a remote install script directly into sh is a supply-chain risk for dev environments. Consider pinning uv to a specific released version and verifying its checksum/signature (or using an OS package / GitHub release artifact) before executing, to make builds more deterministic and reduce the risk of executing unexpected code.

# Install uv (pinned version with checksum verification)
UV_VERSION="0.5.10"
UV_ARCHIVE="uv-${UV_VERSION}-x86_64-unknown-linux-gnu.tar.gz"
UV_URL="https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/${UV_ARCHIVE}"
# SHA256 checksum for ${UV_ARCHIVE}; update if UV_VERSION is changed.
UV_SHA256="PUT_EXPECTED_SHA256_HERE"

TMP_UV_ARCHIVE="$(mktemp)"
curl -LsSf -o "${TMP_UV_ARCHIVE}" "${UV_URL}"
echo "${UV_SHA256}  ${TMP_UV_ARCHIVE}" | sha256sum -c -
mkdir -p "$HOME/.local/bin"
tar -xzf "${TMP_UV_ARCHIVE}" -C "$HOME/.local/bin" uv
chmod +x "$HOME/.local/bin/uv"
rm -f "${TMP_UV_ARCHIVE}"

Originally posted by @Copilot in #2 (comment)

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Task

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions