uv Script Execution is Failing even without Sandbox

[anantshri]

Another thing to consider with uv we can run scripts via uv
https://docs.astral.sh/uv/guides/scripts/

currently with pmg sandbox disabled also i am getting errors

for example a script of mine fetches youtube videos

Video: https://www.youtube.com/watch?v=XXXXXX
  Error fetching transcript: HTTPSConnectionPool(host='www.youtube.com', port=443): Max retries exceeded with url: /watch?v=Gs685rQ3zNE (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1081)')))

removed id for privacy.

Unaliased uv and script works just fine.

current config in use below

transitive: true
transitive_depth: 5
include_dev_dependencies: false
paranoid: false
skip_event_logging: false
event_log_retention_days: 7
proxy_mode: true
trusted_packages:
  - purl: pkg:npm/@safedep/pmg
    reason: "PMG is a trusted package for PMG"
sandbox:
  enabled: false
  enforce_always: false
  policy_templates:
    npm-restrictive-override:
      path: ./profiles/npm-restrictive.yml
  policies:
    npm:
      enabled: true
      profile: npm-restrictive # Built-in profile, template name, or path to custom YAML
    pnpm:
      enabled: true
      profile: pnpm-restrictive
    npx:
      enabled: true
      profile: npx
    pnpx:
      enabled: true
      profile: npx
    yarn:
      enabled: true
      profile: npm-restrictive
    bun:
      enabled: true
      profile: npm-restrictive
    pip:
      enabled: true
      profile: pypi-restrictive
    pip3:
      enabled: true
      profile: pypi-restrictive
    poetry:
      enabled: true
      profile: pypi-restrictive
    uv:
      enabled: true
      profile: pypi-restrictive

[abhisek]

@Sahilb315 Looks like a bug in proxy handling.

We need to handle uv run the same way we handle pnpx, npx, npm exec etc. The sandbox should not be enforced (unless explicitly configured). Also since uv run .. is running arbitrary scripts, it can perform arbitrary network oeprations so PMG proxy should log them and pass through as unknown hosts.

@anantshri Are you using the latest version? In #110 we shipped the ability to proxy any host while logging unknown hosts.

[anantshri]

using

█▀█ █▀▄▀█ █▀▀   From SafeDep (github.com/safedep/pmg)
█▀▀ █░▀░█ █▄█   version: v0.4.1 commit: 607408

even in this version using uv run gives me same error.

  Error fetching transcript: HTTPSConnectionPool(host='www.youtube.com', port=443): Max retries exceeded with url: /watch?v=O6_pV8skhFQ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1081)')))

[abhisek]

Thanks.

Looks like uv need a separate env var or config so that it can use the PMG certificate for secure connection without compromising.

cc: @Sahilb315 Test this out please. Lets huddle if required.

[Sahilb315]

Testing

[abhisek]

@anantshri The issue fixed using #169

I have made a new release. Can you please test and confirm if the issue is resolved?

[abhisek]

@anantshri The issue fixed using #169

I have made a new release. Can you please test and confirm if the issue is resolved?