We implement multiple layers of defense to prevent dependency-related attacks:
- All direct dependencies are pinned to exact versions in
pyproject.toml - Python 3.12+ is required (see
requires-pythoninpyproject.toml) uv.lockserves as the source of truth for all dependencies and transitive versions
Check for known vulnerabilities before installation:
# Using pip-audit (requires: pip install pip-audit)
pip-audit --desc
# Using safety (requires: pip install safety)
safety checkTo prevent malicious scripts from running during installation:
# Recommended: Use --no-deps to install without running lifecycle scripts
pip install --no-deps -e .
# Or use uv (built-in protection)
uv syncThe uv.lock file should never change without explicit review:
- Pre-commit hooks (when enabled) block lockfile commits
- Dependency updates require explicit review and testing
- Use
uv addoruv upgradewith careful review
Before publishing releases:
# Test installation in isolated environment
python -m venv /tmp/test-env
source /tmp/test-env/bin/activate
pip install --no-deps .
tau --helpIf you discover a security vulnerability, please email jeogeoalukka@gmail.com instead of using the issue tracker.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Current direct dependencies are explicitly pinned. See pyproject.toml for the full list.
Run pip-audit or safety check against uv.lock before release to catch known vulnerabilities in the dependency tree (see Dependency Auditing above).
Key provider libraries:
anthropic— Anthropic Claude API clientopenai— OpenAI GPT API clientgoogle-genai— Google Gemini API clientmistralai— Mistral AI API clientollama— Ollama local models