Switching Pip to Uv in a Dockerized Flask / Django App

I'd like to see a security breakdown of uv versus pip versus conda versus whatever fashionable package manager I've not heard of yet.

Speed is okay, but security of a package manager is far more important.

uv is generally more secure than pip. It resolves dependencies without executing arbitrary code, verifies package hashes by default, and avoids common risks like typosquatting and code execution during install. It's also faster and more reproducible.

https://chaitalks.tech/uv-a-modern-python-package-manager-in...

https://docs.astral.sh/uv/pip/compatibility/

I'd be interested to know under what circumstances pip executes arbitrary code while resolving dependencies ... how does that work ?

And while I'm here ... how does uv go about mitigating typosquatting risks ? I could imagine how it might issue warnings if you perhaps it notices you requesting "dlango", which would work OK for the top 10% but are you suggesting there's some more general solution built into uv ?

I did a quick search but 'typosquatting' is not an easy string to cut through.

To install a package and its dependencies, you need the list of dependencies. This metadata is not always statically available!

Python packages are often just a zip file full of py files, with one of them called 'setup.py'. Running this file installs the package (originally using [distutils](https://docs.python.org/3.9/install/index.html#install-index)). This installation may fail if dependencies are not present, but there’s no method provided for installing those dependencies. You’re supposed to read the error message, go download the source for the missing dependencies, then run their setup.py scripts to install them.

How does uv get around this?