uv, the Rust-based Python package and environment manager from Astral, launched in February 2024. Developers admire it—74.2% in Stack Overflow’s 2025 survey, the highest-rated tool. Yet actual use lags. In the top 100,000 GitHub repos by stars with Python tooling, only 10% (18,373 repos total) show uv.lock files, a clear adoption signal. requirements.txt, proxy for pip, dominates the rest.
New repos tell a sharper story. Among Python projects created in 2025, uv appears in 32%, hitting 43% of requirements.txt’s penetration. Early 2026 data (245 repos) holds steady at 30% uv usage, 44% relative to pip’s staple. The year’s top Python repo so far, karpathy/autoresearch with over 10,000 stars, runs uv. Developer overlap likely boosts true install base beyond 30%—one uv user often seeds multiple repos.
Adoption Barriers
Legacy bias skews older repos toward pip. But even fresh ones show hesitation. Skeptics blame uv’s VC funding or OpenAI’s 2025 acquisition. Data disputes this: uv overtook Poetry in admiration and new-repo share despite backing from a16z and Sequoia. No post-acquisition dip appears in 2026 numbers.
Dig into 2026 holdouts using requirements.txt. Patterns emerge: zero deps (pointless), agent “skills” installs, test-only usage alongside uv elsewhere, benchmarks, AI-generated code, or plain deps. Most scream automation, not intent. Test it: prompt ChatGPT, Gemini, or Claude for package installs. All default to pip install -r requirements.txt or pip install package. A decade of training data cements this reflex.
AI coding agents amplify the issue. Tools like Cursor, GitHub Copilot, and Devin churn out boilerplate. They favor pip because it’s ubiquitous in corpora up to 2023-2024. uv’s youth means sparse examples. Result: new repos inherit pip habits, slowing ecosystem shift.
Why This Matters
uv isn’t hype—it’s 10-100x faster than pip for installs, per benchmarks. It unifies pip, pip-tools, venv, and Poetry workflows into one binary. Define Python versions in pyproject.toml; uv handles shims, locks, and syncs. No more README venv dances or version mismatches.
Security implications cut deeper. requirements.txt lists loose ranges (e.g., requests>=2.25), inviting supply-chain attacks via yanked PyPI versions. uv.lock pins exact hashes, like Cargo or npm’s package-lock.json. Reproducible builds reduce “works on my machine” risks and audit surfaces. In a post-Log4j, SolarWinds world, this matters for production Python—data pipelines, ML models, automation scripts.
Economics too: pip’s slowness compounds in CI/CD. Teams waste hours on installs; uv slashes that. For finance/crypto quants, where Python rules backtests and trading bots, seconds per dependency scale to dollars. OpenAI ownership raises eyebrows—will telemetry creep in? So far, uv remains open-source (MIT license), binary-signs releases, and audits clean. Monitor it.
Poetry’s decline underscores momentum. Once the lockfile king, it peaked at 20-25% new-repo share pre-uv. uv’s speed and simplicity won. Pip endures as stdlib, but tools evolve—pipx, ruff, now uv signal Python maturing beyond 1990s scripting.
Action Steps
Switch now. For new projects: uv init, add deps with uv add package. It generates uv.lock and pyproject.toml. Existing? uv sync migrates.
Library authors: document uv add yourlib in READMEs. Override AI defaults—agents scan docs first. Teams: enforce uv in CI via .github/workflows: run uv sync --frozen for locked installs.
Push AI tools forward. Fine-tune agents with uv-heavy datasets, or use prefixes like “using uv:”. Early adopters like karpathy set examples; follow. At 30-40% and climbing, uv hits critical mass soon. Pip won’t die—it’s core—but uv handles 90% of daily work better.
Bottom line: uv adoption gaps stem from AI inertia, not tech flaws. It delivers speed, security, reproducibility Python needs. Ignore the lag; use it. Your pipelines, deploys, and audits improve immediately.
