A CVSS 9.3 unauthenticated RCE in the Marimo Python notebook was exploited within hours of advisory disclosure. Meanwhile, Astral published its comprehensive supply chain security posture for uv and ruff, covering CI/CD pipeline hardening, Trusted Publishing, and Sigstore attestation.
