Summary
parse_version_from_uv_dir_name in crates/pet-uv/src/lib.rs validates that a directory name has the right structure (impl-version-platform with a dotted version) but doesn't validate that version components are actually numeric. A directory like cpython-3.abc.def-linux would pass the check.
Details
At line 365-376, the parser:
- Splits on
- to get [impl, version, platform]
- Checks the first char of
version is a digit
- Checks there are ≥2 dot-separated components
But it never validates that subsequent components (abc, def) are numeric.
Impact
Low — uv only produces numeric version directories in practice. However, if a user has non-Python directories in the uv install path, they could be misidentified as Python installations.
Proposed Fix
Add a numeric check: parts.iter().all(|p| p.chars().all(|c| c.is_ascii_digit())) for the dot-separated components.
Introduced By
PR #380 (dd11802 — feat: discover uv-managed global Python installations)
Summary
parse_version_from_uv_dir_nameincrates/pet-uv/src/lib.rsvalidates that a directory name has the right structure (impl-version-platform with a dotted version) but doesn't validate that version components are actually numeric. A directory likecpython-3.abc.def-linuxwould pass the check.Details
At line 365-376, the parser:
-to get[impl, version, platform]versionis a digitBut it never validates that subsequent components (
abc,def) are numeric.Impact
Low — uv only produces numeric version directories in practice. However, if a user has non-Python directories in the uv install path, they could be misidentified as Python installations.
Proposed Fix
Add a numeric check:
parts.iter().all(|p| p.chars().all(|c| c.is_ascii_digit()))for the dot-separated components.Introduced By
PR #380 (
dd11802— feat: discover uv-managed global Python installations)