Use uv audit for local deps-audit

[tsvikas]

Summary

• Replace the pip-audit-via-uv run invocation in the deps-audit justfile recipe with uv audit --locked (faster, no extra install step).
• Bump the minimum uv version to 0.10.12 — first release where uv audit exits non-zero on findings (PR Exit with nonzero on audit findings astral-sh/uv#18512) and appears in CLI help (PR Unhide uv audit astral-sh/uv#18540). Earlier versions can't reliably fail the recipe on vulnerabilities.
• Updates pyproject.toml, the template's pyproject.toml.jinja, the CI matrix in uv-tests.yml, and the README.

Note: uv audit is still a preview feature and emits an experimental warning. Pass --preview-features audit to silence it if desired.

Test plan

• uv-tests CI matrix passes on both 0.10.12 and latest.
• Generated project runs just deps-audit cleanly.

🤖 Generated with Claude Code

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The new deps-audit recipe drops the --all-extras/--all-groups behavior that pip-audit had; if you want to keep parity with the previous audit scope, consider adding equivalent uv audit options once they are available or documenting the narrower coverage explicitly in the recipe comment.
• Because uv audit is still a preview feature and will emit warnings by default, consider adding --preview-features audit directly in the deps-audit recipe so users get a clean output without having to discover and pass this flag themselves.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new `deps-audit` recipe drops the `--all-extras`/`--all-groups` behavior that `pip-audit` had; if you want to keep parity with the previous audit scope, consider adding equivalent `uv audit` options once they are available or documenting the narrower coverage explicitly in the recipe comment.
- Because `uv audit` is still a preview feature and will emit warnings by default, consider adding `--preview-features audit` directly in the `deps-audit` recipe so users get a clean output without having to discover and pass this flag themselves.

## Individual Comments

### Comment 1
<location path="project_name/justfile.jinja" line_range="49" />
<code_context>
-    pip-audit \
-    --skip-editable
-  uv run --exact true
+  uv audit --locked


</code_context>
<issue_to_address>
**issue:** Consider behavior when no lockfile is present for `uv audit --locked`.

`uv audit --locked` will fail if no lockfile exists, whereas `pip-audit` worked directly against the environment. If this is meant to run before a lock is created (or in repos that deliberately avoid locks), consider either (a) guarding and skipping/falling back when no lockfile is present, or (b) explicitly requiring `uv lock` to be run before `deps-audit`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue: Consider behavior when no lockfile is present for uv audit --locked.

uv audit --locked will fail if no lockfile exists, whereas pip-audit worked directly against the environment. If this is meant to run before a lock is created (or in repos that deliberately avoid locks), consider either (a) guarding and skipping/falling back when no lockfile is present, or (b) explicitly requiring uv lock to be run before deps-audit.