Uvicorn

registryPyPI

package nameuvicorn

maintainerEncode

Uvicorn is the de facto ASGI server for Python, used to run FastAPI and Starlette applications in production. It handles TLS termination, HTTP/2, and WebSocket connections. In most cloud deployments, Uvicorn is the process that directly receives incoming internet traffic.

api usage

Checking Uvicorn

uvicorn 0.30.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=uvicorn&version=0.30.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "uvicorn",
  "version": "0.30.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

ASGI servers receive raw HTTP connections before any framework middleware runs. A backdoored server can inspect request headers, hijack TLS sessions, or log request bodies from every connection before the FastAPI or Starlette application processes them.

Attestd monitors uvicorn using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages FastAPI HTTPX aiohttp Response fields