<p>Wherever practical, I also recommend using devcontainers, so that in addition to breaking supply chain security, large-scale damage would require an unpatched sandbox exploit too.

<p>We recently switched to pnpm, in part to guard against supply chain attacks (<a href="https:&#x2F;&#x2F;pnpm.io&#x2F;supply-chain-security" rel="nofollow">https:&#x2F;&#x2F;pnpm.io&#x2F;supply-chain-security</a>).<p>Reading this got me wondering whether uv has something similar, and indeed it does appear to (<a href="https:&#x2F;&#x2F;docs.astral.sh&#x2F;uv&#x2F;reference&#x2F;settings&#x2F;#exclude-newer" rel="nofollow">https:&#x2F;&#x2F;docs.astral.sh&#x2F;uv&#x2F;reference&#x2F;settings&#x2F;#exclude-newer</a>)

<p>It&#x27;s also been reported to their GitHub: <a href="https:&#x2F;&#x2F;github.com&#x2F;BerriAI&#x2F;litellm&#x2F;issues&#x2F;24512" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;BerriAI&#x2F;litellm&#x2F;issues&#x2F;24512</a>

LiteLLM PyPI has been compromised an hour ago, do not update

Comments

darkteflon

nateb2022

rgambee

Bullhorn9268

parad0x0n

Mooshux