Configures Python projects with modern tooling (uv, ruff, ty). Use when creating projects, writing standalone scripts, or migrating from pip/Poetry/mypy/black.
Guide for modern Python tooling and best practices, based on trailofbits/cookiecutter-python.
pyproject.toml configuration| Avoid | Use Instead |
|---|---|
[tool.ty] python-version | [tool.ty.environment] python-version |
uv pip install | uv add and uv sync |
| Editing pyproject.toml manually to add deps | uv add <pkg> / uv remove <pkg> |
hatchling build backend | uv_build (simpler, sufficient for most cases) |
| Poetry | uv (faster, simpler, better ecosystem integration) |
| requirements.txt | PEP 723 for scripts, pyproject.toml for projects |
| mypy / pyright | ty (faster, from Astral team) |
[project.optional-dependencies] for dev tools | [dependency-groups] (PEP 735) |
Manual virtualenv activation (source .venv/bin/activate) | uv run <cmd> |
| pre-commit | prek (faster, no Python runtime needed) |
Key principles:
uv add and uv remove to manage dependenciesuv run for all commands[dependency-groups] for dev/test/docs dependencies, not [project.optional-dependencies]What are you doing?
│
├─ Single-file script with dependencies?
│ └─ Use PEP 723 inline metadata (./references/pep723-scripts.md)
│
├─ New multi-file project (not distributed)?
│ └─ Minimal uv setup (see Quick Start below)
│
├─ New reusable package/library?
│ └─ Full project setup (see Full Setup below)
│
└─ Migrating existing project?
└─ See Migration Guide below
| Tool | Purpose | Replaces |
|---|---|---|
| uv | Package/dependency management | pip, virtualenv, pip-tools, pipx, pyenv |
| ruff | Linting AND formatting | flake8, black, isort, pyupgrade, pydocstyle |
| ty | Type checking | mypy, pyright (faster alternative) |
| pytest | Testing | unittest |
| prek | Pre-commit hooks (setup) | pre-commit (faster, Rust-native) |
| Tool | Purpose | When It Runs |
|---|---|---|
| shellcheck | Shell script linting | pre-commit |
| detect-secrets | Secret detection | pre-commit |
| actionlint | Workflow syntax validation | pre-commit, CI |
| zizmor | Workflow security audit | pre-commit, CI |
| pip-audit | Dependency vulnerability scanning | CI, manual |
| Dependabot | Automated dependency updates | scheduled |
See security-setup.md for configuration and usage.
For simple multi-file projects not intended for distribution:
# Create project with uv
uv init myproject
cd myproject
# Add dependencies
uv add requests rich
# Add dev dependencies
uv add --group dev pytest ruff ty
# Run code
uv run python src/myproject/main.py
# Run tools
uv run pytest
uv run ruff check .
If starting from scratch, ask the user if they prefer to use the Trail of Bits cookiecutter template to bootstrap a complete project with already preconfigured tooling.
uvx cookiecutter gh:trailofbits/cookiecutter-python
uv init --package myproject
cd myproject
This creates:
myproject/
├── pyproject.toml
├── README.md
├── src/
│ └── myproject/
│ └── __init__.py
└── .python-version
See pyproject.md for complete configuration reference.
Key sections:
[project]
name = "myproject"
version = "0.1.0"
requires-python = ">=3.11"
dependencies = []
[dependency-groups]
dev = ["ruff", "ty", "pytest"]
[tool.ruff]
line-length = 100
src = ["src", "tests"]
[tool.ruff.lint]
select = ["E", "F", "W", "I", "UP", "B", "SIM", "RUF", "C4", "PT"]
[tool.pytest.ini_options]
testpaths = ["tests"]
addopts = ["-q", "--strict-markers", "--strict-config"]
[tool.ty.terminal]
error-on-warning = true
[tool.ty.environment]
python-version = "3.11"
[tool.ty.rules]
# Strict from day 1 for new projects
possibly-unresolved-reference = "error"
unused-ignore-comment = "warn"
# Install all dependency groups
uv sync --all-groups
# Or install specific groups
uv sync --group dev
Use the canonical template in makefile.md. It includes shell safety defaults, a help target powered by ## docs, and standard Python project targets.
When a user requests migration from legacy tooling:
First, determine the nature of the code:
For standalone scripts: Convert to PEP 723 inline metadata (see pep723-scripts.md)
For projects:
# Initialize uv in existing project
uv init --bare
# Add dependencies using uv (not by editing pyproject.toml)
uv add requests rich # add each package
# Or import from requirements.txt (review each package before adding)
grep -v '^#' requirements.txt | grep -v '^-' | grep -v '^\s*$' | while read -r pkg; do
uv add "$pkg" || echo "Failed to add: $pkg"
done
uv sync
Then:
requirements.txt, requirements-dev.txtvenv/, .venv/)uv.lock to version controluv init --bare to create pyproject.tomluv add to add each dependency from install_requiresuv add --group dev for dev dependencies[project]setup.py, setup.cfg, MANIFEST.inuv remove.flake8, pyproject.toml [tool.black], [tool.isort] configsuv add --group dev ruffuv run ruff check --fix . to apply fixesuv run ruff format . to formatuv removemypy.ini, pyrightconfig.json, or [tool.mypy]/[tool.pyright] sectionsuv add --group dev tyuv run ty check src/| Command | Description |
|---|---|
uv init | Create new project |
uv init --package | Create distributable package |
uv add <pkg> | Add dependency |
uv add --group dev <pkg> | Add to dependency group |
uv remove <pkg> | Remove dependency |
uv sync | Install dependencies |
uv sync --all-groups | Install all dependency groups |
uv run <cmd> | Run command in venv |
uv run --with <pkg> <cmd> | Run with temporary dependency |
uv build | Build package |
uv publish | Publish to PyPI |
--withUse uv run --with for one-off commands that need packages not in your project:
# Run Python with a temporary package
uv run --with requests python -c "import requests; print(requests.get('https://httpbin.org/ip').json())"
# Multiple packages
uv run --with requests --with rich python script.py
# Combine with project deps (adds to existing venv)
uv run --with httpx pytest # project deps + httpx
When to use --with vs uv add:
uv add: Package is a project dependency (goes in pyproject.toml/uv.lock)--with: One-off usage, testing, or scripts outside a project contextSee uv-commands.md for complete reference.
src/ layout for packagesrequires-python = ">=3.11"["E", "F", "W", "I", "UP", "B", "SIM", "RUF", "C4", "PT"])uv.lock to version control