Please report security vulnerabilities privately via GitHub's private vulnerability reporting (the repository's Security tab → Report a vulnerability). We'll acknowledge the report and work with you on a fix and coordinated disclosure. Please don't open public issues for security problems.

The security-relevant defaults uv-forge ships — SHA-pinned actions, least-privilege workflows, zizmor/actionlint, trusted publishing, Sigstore signing, and SLSA build provenance — are described in the Security guide.