Quantinuum · qartik · May 6, 2026 · May 6, 2026
diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
@@ -23,6 +23,9 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           enable-cache: true
+      - name: Dependency vulnerability audit
+        run: |
+          make audit
       - name: Install dependencies
         run: |
           uv sync --all-extras --dev

diff --git a/AGENTS.md b/AGENTS.md
@@ -8,7 +8,7 @@ This repository is a modern Python template. When making changes, prefer the rep
 - Use `ruff` for linting and formatting.
 - Use `ty` for type checking.
 - Use `pytest` for testing.
-- Use `pip-audit` for dependency vulnerability checks.
+- Use `uv audit` for dependency vulnerability checks.
 - Use `prek` for repository hooks and pre-commit-style checks.
 
 ## Dependency Management Rules
@@ -32,7 +32,7 @@ This repository is a modern Python template. When making changes, prefer the rep
 - Lint code: `uv run ruff check .`
 - Type check: `uv run ty check src tests`
 - Test: `uv run pytest`
-- Audit dependencies: `uv run pip-audit`
+- Audit dependencies: `uv audit --locked`
 
 ## Editing Guidance
 

diff --git a/Makefile b/Makefile
@@ -16,7 +16,7 @@ test:
 	uv run pytest
 
 audit:
-	uv run pip-audit
+	uv audit --locked
 
 docs:
 	uv run sphinx-apidoc -f -o docs/source/ src/pytemplate

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # pytemplate
 
-This is a Python 3.14 package template called `pytemplate`. The project uses `uv` for dependency management, `ruff` for linting and formatting, `ty` for type checking, `pytest` with coverage for tests, `prek` for repository checks, and Sphinx for docs.
+This is a Python 3.14 package template called `pytemplate`. The project uses `uv` for dependency management, `ruff` for linting and formatting, `ty` for type checking, `pytest` with coverage for tests, `prek` for repository checks, `uv audit` for dependency vulnerability scanning, and Sphinx for docs.
 
 The extremely fast Python package and project manager, [uv](https://docs.astral.sh/uv/#getting-started), is required.
 
@@ -61,4 +61,4 @@ Use `make lint` to run `ruff`, `ty`, and `prek`.
 
 ## Dependency Audit
 
-Use `make audit` or `uv run pip-audit` to scan the environment for known vulnerable packages.
+Use `make audit` or `uv audit --locked` to scan locked dependencies for known vulnerabilities. The template also configures uv with a 7-day dependency cooldown so routine dependency resolution avoids newly uploaded packages while the package ecosystem has time to discover and report supply-chain compromises.
diff --git a/pyproject.toml b/pyproject.toml
@@ -15,11 +15,7 @@ authors = [{ name = "Author", email = "author@email.com" }]
 pytemplate = "pytemplate.main:main"
 
 [dependency-groups]
-audit = [
-    "pip-audit>=2.10.0",
-]
 dev = [
-  { include-group = "audit" },
   { include-group = "docs" },
   { include-group = "lint" },
   { include-group = "test" },
@@ -30,6 +26,7 @@ test = ["pytest~=9.0.3", "pytest-cov~=7.1.0"]
 
 [tool.uv]
 default-groups = ["dev"]
+exclude-newer = "7 days"
 
 [project.urls]
 Repository = "https://github.com/CQCL/pytemplate.git"