feat: add uv monitor support for workspace projects

[snyk-tim]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Adds support for monitoring all projects in a uv workspace.

When a uv workspace is monitored with --all-packages, each project will be correctly named with the project name and the relative path of its corresponding pyproject.toml file.

For example, for the subproject foo, the name of the project in Registry would be foo:foo/pyproject.toml.

Where should the reviewer start?

The main change is when --all-projects is used, it will now pass the flag --internal-uv-workspace-packages to the depgraph command. The depgraph command will return a JSONL stream of JSON objects with the fields depGraph and targetFile allowing them to be populated for each project.

How should this be manually tested?

In a uv workspace project folder, which can be created with the following:

uv init uv-test-project-workspace
cd uv-test-project-workspace
uv init project-a
uv init project-b
uv init project-c
uv add --project project-a 'requests==2.28.0'
uv add --project project-b 'urllib3==1.26.15'
uv add --project project-c 'cryptography==40.0.0'
uv add project-a --editable
uv add project-b --editable
uv add project-c --editable
uv sync

Run snyk monitor --all-projects and it will create 4 projects, one for the main project uv-test-project-workspace, then one each for the subprojects project-a, project-b, project-c.

What's the product update that needs to be communicated to CLI users?

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

	Warnings
⚠️	You've modified files in src/ directory, but haven't updated anything in test folder. Is there something that could be tested?

Generated by 🚫 dangerJS against 32365ad

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Missing property 🟠 [major] The inspect function returns a MultiProjectResult object where the top-level plugin object (lines 109-112) is missing the packageManager property. While this property is correctly included in the plugin objects within each item of scannedProjects (lines 76 and 89), its absence at the top level causes a regression compared to previous behavior and will lead to test failures, specifically in src/lib/plugins/uv/uv.spec.ts at line 87 where it is explicitly expected. return { plugin: { name: 'snyk-uv-plugin', targetFile: resolvedTargetFile, packageManager: 'uv',

📚 Repository Context Analyzed This review considered 11 relevant code sections from 6 files (average relevance: 1.02) src/lib/plugins/uv/index.ts (lines 1-146) src/lib/plugins/types.ts (lines 1-33) package-lock.json (4 segments, lines 1-100) package.json (2 segments, lines 1-100) cliv2/cmd/cliv2/main.go (lines 1-92) help/cli-commands/test.md (2 segments, lines 301-400)