Dependency management¶
cuere's dependency policy — how dependencies are selected, obtained, pinned, and tracked. This is the policy backing OSPS-DO-06.01.
Philosophy: stdlib-first, minimal¶
cuere is standard-library-first. The renderers, terminal handling, and
wallet-URI helpers are pure stdlib. Third-party code is added only when it earns
its place, and anything that isn't needed for the core path is an optional
extra so a plain import cuere stays lightweight.
What cuere depends on¶
| Dependency | Why | How it ships |
|---|---|---|
| segno | The QR/Micro-QR encoder — the one piece cuere does not reimplement | Required runtime dependency |
| rich | The cuere.rich.QRCode renderable |
Optional; loaded on demand |
| typer | The cuere CLI |
Optional; loaded on demand |
| Pillow | PNG export (cuere[image]) |
Optional extra; imported lazily |
Development tooling (uv, meson-python, pytest, ruff, mypy/ty/basedpyright, zizmor, gitleaks, and the docs stack) is declared in the project's dev/extras groups, not in the runtime requirements.
Selecting a dependency¶
A new dependency must clear this bar before it is added:
- Necessity — it can't be reasonably covered by the standard library.
- License — compatible with cuere's CC0-1.0 dedication.
- Health — maintained, with a credible security-response track record.
- Footprint — a small, well-scoped transitive tree; prefer pure-Python.
- Placement — if it isn't needed on the core path, it goes in an extra.
Obtaining and pinning¶
- Dependencies are resolved and locked in
uv.lockfor reproducible installs (uv sync). Theuv-lockpre-commit hook keeps the lock in sync withpyproject.toml. - CI installs from the lockfile, so builds and audits run against the exact pinned set.
Tracking and auditing¶
| Tool | Role |
|---|---|
| OSV-Scanner | Scans the dependency set for known vulnerabilities in CI |
| pip-audit | Supply-chain audit (run by scripts/audit.py, locally and in CI) |
| dependency-review | Flags risky dependency changes on pull requests |
| dependabot | Opens automated update PRs, including security updates |
Updates flow in as dependabot PRs, which pass the full quality gate (tests, type checks, audits) before merge. Vulnerabilities found in a dependency are tracked to an upstream fix or a version pin; they are out of scope for cuere's own vulnerability reporting (report those upstream).