Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private Security Advisories feature to report vulnerabilities confidentially. We will investigate and respond as soon as we can.

managed-python downloads a pinned release of uv from GitHub. The SHA256 checksum for each platform binary is pinned in distro.toml under [uv_checksums] and verified before the binary is extracted. The checksums are updated automatically by release.py whenever uv_version is bumped.

No other external resources are downloaded at install time.

Only the latest release is actively maintained.