
Security News
minimatch Patches 3 High-Severity ReDoS Vulnerabilities
minimatch patched three high-severity ReDoS vulnerabilities that can stall the Node.js event loop, and Socket has released free certified patches.
pre-commit-uv
Advanced tools
Use uv to create virtual environments and install packages for pre-commit.
With pipx:
pipx install pre-commit
pipx inject pre-commit pre-commit-uv
With uv:
uv tool install pre-commit --with pre-commit-uv --force-reinstall
Compared to upstream pre-commit will speed up the initial seed operation. In general, upstream recommends caching the
pre-commit cache, however, that is not always possible and is still helpful to have a more performant initial cache
creation., Here's an example of what you could expect demonstrated on this project's own pre-commit setup (with a hot
uv cache):
❯ hyperfine 'pre-commit install-hooks' 'pre-commit-uv install-hooks'
Benchmark 1: pre-commit install-hooks
Time (mean ± σ): 54.132 s ± 8.827 s [User: 15.424 s, System: 9.359 s]
Range (min … max): 45.972 s … 66.506 s 10 runs
Benchmark 2: pre-commit-uv install-hooks
Time (mean ± σ): 41.695 s ± 7.395 s [User: 7.614 s, System: 6.133 s]
Range (min … max): 32.198 s … 58.467 s 10 runs
Summary
pre-commit-uv install-hooks ran 1.30 ± 0.31 times faster than pre-commit install-hooks
Once installed will use uv out of box, however the DISABLE_PRE_COMMIT_UV_PATCH environment variable if is set it
will work as an escape hatch to disable the new behavior.
To avoid interpreter startup overhead of the patching, we only perform this when we detect you calling pre-commit.
Should this logic fail you can force the patching by setting the FORCE_PRE_COMMIT_UV_PATCH variable. Should you
experience this please raise an issue with the content of the sys.argv. Note that DISABLE_PRE_COMMIT_UV_PATCH will
overwrite this flag should both be set.
FAQs
Run pre-commit with uv
We found that pre-commit-uv demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
minimatch patched three high-severity ReDoS vulnerabilities that can stall the Node.js event loop, and Socket has released free certified patches.

Research
/Security News
Socket uncovered 26 malicious npm packages tied to North Korea's Contagious Interview campaign, retrieving a live 9-module infostealer and RAT from the adversary's C2.

Research
An impersonated golang.org/x/crypto clone exfiltrates passwords, executes a remote shell stager, and delivers a Rekoobe backdoor on Linux.