uv sync CI secrets leak #16804
Description
Summary
Hope this is not a duplicate, sorry if that is the case.
Description
When running uv sync in GitLab CI, we hit a case where a source build of a dependency printed the entire os.environ, and that output was passed through by uv into the CI logs. This resulted in multiple sensitive environment variables (DB passwords, test user credentials, CI/infra/repository tokens, etc.) being exposed in the GitLab job log.
In our case the dependency was pymupdf==1.26.6 on CPython 3.13.9 / Alpine (no wheel available), whose setup.py prints detailed environment information including os.environ. Because uv streams the build output directly, all secrets in the environment were logged.
Environment
uv image: astral/uv:0.9-python3.13-alpine
Python: CPython 3.13.9
OS: Alpine Linux
CI: GitLab CI
Dependency: pymupdf==1.26.6 (no prebuilt wheel for this platform/runtime)
Steps to Reproduce
Run GitLab CI job using astral/uv:0.9-python3.13-alpine.
Configure environment with sensitive variables (DB password, tokens, etc.).
Add pymupdf==1.26.6 (or any package whose setup.py prints os.environ) to pyproject.toml.
Run uv sync.
Inspect CI job log.
Actual Behavior
During the source build of pymupdf, its setup.py prints the full os.environ.
uv forwards this output to stdout.
CI logs now contain all environment variables, including secrets.
The build then fails with Failed to build pymupdf==1.26.6, but the secrets are already exposed.
Expected Behavior
Can uv prevent this somehow? Or can we prevent this ourselves?
The --quiet / -q flag does not hide this.
Screenshot from log:
Platform
astral/uv:0.9-python3.13-alpine
Version
0.9
Python version
3.13