Accidentally Leaking Private Registries via UV

I was messing around with Cursor Background agents to see what the fuss was about and I managed to (nearly) leak some private registry credentials. In my work environment, we use a managed private Python package registry. This works similar to PyPI but we can also keep private packages. It allows use to have a read through cache to PyPI, while getting a degree of auditability and security in addition to having private packages.

As part of our dev setup, to ensure that we are always using this registry, we update our .pypirc or other equivalent configuration to make sure that any pip install or uv add will automatically fetch the appropriate endpoint. This also handles authentication, API keys etc. This is rather conventient and one of those things you setup once and forget even exists until there is a problem.

In my experiments with Cursor Background agents, I focused on a small open source project I was working on to keep a tight scope and minimize the security scope. One key thing for the agent setup is of course the environment. I leaned on uv to perform setup due to speed and consistency. This allowed me to have a pretty minimal installation by leveraging my UV lock file to repliace my local environment.

Sounds great. UV doing a good job as usual. That was until I tried to actually run the agent. I received an error that uv couldn't install my packages as it was getting an HTTP 404 from the endpoint. Pretty usual behavior for PyPI. Further digging revealed that the cause of the issue was my uv.lock file had been created using links to my private package registry, even though all packages being used were public. As the Background Agent container did not have any credentials to access this registry, it failed to install the packages.

The fix was rather simple, just update pyproject.toml to force UV to use PyPI by default for this project and regenerate the lock file:

[[tool.uv.index]]
name = "pyspark"
url = "https://pypi.org/simple"
default = true

Thankfully, no credentials were exposed, it would have just been paths to packages, though it seems like people ran into this issue with UV in the past. Thankfully Astral quickly fixed the issue to minimize the chance of leaking credentials.

A good reminder of how global dev environment setups can still be dangerous, though convenient.

Bonus: Cursor Backround agent docks are pretty lacking at the moment. Feel free to steal the linked env file above, or this Dockerfile to get started with installs for UV and system packages.

Published: