Update charmcraft.yaml build tools (16/edge)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Update
pip (changelog)	25.1.1 -> 25.2			minor
poetry (changelog)	2.1.3 -> 2.1.4			patch
rust-lang/rust	1.88.0 -> 1.89.0			minor
uv (source, changelog)	0.8.3 -> 0.8.8			patch

---

Release Notes

pypa/pip (pip)

v25.2

Compare Source

python-poetry/poetry (poetry)

v2.1.4

Compare Source

Changed

• Require virtualenv<20.33 to work around an issue where Poetry uses the wrong Python version (#​10491).
• Improve the error messages for the validation of the pyproject.toml file (#​10471).

Fixed

• Fix an issue where project plugins were installed even though poetry install was called with --no-plugins (#​10405).
• Fix an issue where dependency resolution failed for self-referential extras with duplicate dependencies (#​10488).

Docs

• Clarify how to include files that were automatically excluded via VCS ignore settings (#​10442).
• Clarify the behavior of poetry add if no version constraint is explicitly specified (#​10445).

rust-lang/rust (rust-lang/rust)

v1.89.0

Compare Source

==========================

Language

• Stabilize explicitly inferred const arguments (feature(generic_arg_infer))
• Add a warn-by-default mismatched_lifetime_syntaxes lint.
  This lint detects when the same lifetime is referred to by different syntax categories between function arguments and return values, which can be confusing to read, especially in unsafe code.
  This lint supersedes the warn-by-default elided_named_lifetimes lint.
• Expand unpredictable_function_pointer_comparisons to also lint on function pointer comparisons in external macros
• Make the dangerous_implicit_autorefs lint deny-by-default
• Stabilize the avx512 target features
• Stabilize kl and widekl target features for x86
• Stabilize sha512, sm3 and sm4 target features for x86
• Stabilize LoongArch target features f, d, frecipe, lasx, lbt, lsx, and lvz
• Remove i128 and u128 from improper_ctypes_definitions
• Stabilize repr128 (#[repr(u128)], #[repr(i128)])
• Allow #![doc(test(attr(..)))] everywhere
• Extend temporary lifetime extension to also go through tuple struct and tuple variant constructors
• extern "C" functions on the wasm32-unknown-unknown target now have a standards compliant ABI

Compiler

• Default to non-leaf frame pointers on aarch64-linux
• Enable non-leaf frame pointers for Arm64EC Windows
• Set Apple frame pointers by architecture

Platform Support

• Add new Tier-3 targets loongarch32-unknown-none and loongarch32-unknown-none-softfloat
• x86_64-apple-darwin is in the process of being demoted to Tier 2 with host tools

Refer to Rust's platform support page
for more information on Rust's tiered platform support.

Libraries

• Specify the base path for file!
• Allow storing format_args!() in a variable
• Add #[must_use] to [T; N]::map
• Implement DerefMut for Lazy{Cell,Lock}
• Implement Default for array::IntoIter
• Implement Clone for slice::ChunkBy
• Implement io::Seek for io::Take

Stabilized APIs

• NonZero<char>
• Many intrinsics for x86, not enumerated here
  • AVX512 intrinsics
  • SHA512, SM3 and SM4 intrinsics
• File::lock
• File::lock_shared
• File::try_lock
• File::try_lock_shared
• File::unlock
• NonNull::from_ref
• NonNull::from_mut
• NonNull::without_provenance
• NonNull::with_exposed_provenance
• NonNull::expose_provenance
• OsString::leak
• PathBuf::leak
• Result::flatten
• std::os::linux::net::TcpStreamExt::quickack
• std::os::linux::net::TcpStreamExt::set_quickack

These previously stable APIs are now stable in const contexts:

• <[T; N]>::as_mut_slice
• <[u8]>::eq_ignore_ascii_case
• str::eq_ignore_ascii_case

Cargo

• cargo fix and cargo clippy --fix now default to the same Cargo target selection as other build commands. Previously it would apply to all targets (like binaries, examples, tests, etc.). The --edition flag still applies to all targets.
• Stabilize doctest-xcompile. Doctests are now tested when cross-compiling. Just like other tests, it will use the runner setting to run the tests. If you need to disable tests for a target, you can use the ignore doctest attribute to specify the targets to ignore.

Rustdoc

• On mobile, make the sidebar full width and linewrap. This makes long section and item names much easier to deal with on mobile.

Compatibility Notes

• Make missing_fragment_specifier an unconditional error
• Enabling the neon target feature on aarch64-unknown-none-softfloat causes a warning because mixing code with and without that target feature is not properly supported by LLVM
• Sized Hierarchy: Part I
  • Introduces a small breaking change affecting ?Sized bounds on impls on recursive types which contain associated type projections. It is not expected to affect any existing published crates. Can be fixed by refactoring the involved types or opting into the sized_hierarchy unstable feature. See the FCP report for a code example.
• The warn-by-default elided_named_lifetimes lint is superseded by the warn-by-default mismatched_lifetime_syntaxes lint.
• Error on recursive opaque types earlier in the type checker
• Type inference side effects from requiring element types of array repeat expressions are Copy are now only available at the end of type checking
• The deprecated accidentally-stable std::intrinsics::{copy,copy_nonoverlapping,write_bytes} are now proper intrinsics. There are no debug assertions guarding against UB, and they cannot be coerced to function pointers.
• Remove long-deprecated std::intrinsics::drop_in_place
• Make well-formedness predicates no longer coinductive
• Remove hack when checking impl method compatibility
• Remove unnecessary type inference due to built-in trait object impls
• Lint against "stdcall", "fastcall", and "cdecl" on non-x86-32 targets
• Future incompatibility warnings relating to the never type (!) are now reported in dependencies
• Ensure std::ptr::copy_* intrinsics also perform the static self-init checks
• extern "C" functions on the wasm32-unknown-unknown target now have a standards compliant ABI

Internal Changes

These changes do not affect any public interfaces of Rust, but they represent
significant improvements to the performance or internals of rustc and related
tools.

• Correctly un-remap compiler sources paths with the rustc-dev component

astral-sh/uv (uv)

v0.8.8

Compare Source

Bug fixes

• Fix find_uv_bin compatibility with Python <3.10 (#​15177)

v0.8.7

Compare Source

Python

• On Mac/Linux, libtcl, libtk, and _tkinter are built as separate shared objects, which fixes matplotlib's tkagg backend (the default on Linux), Pillow's PIL.ImageTk library, and other extension modules that need to use libtcl/libtk directly.
• Tix is no longer provided on Linux. This is a deprecated Tk extension that appears to have been previously broken.

See the python-build-standalone release notes for details.

Enhancements

• Do not update uv.lock when using --isolated (#​15154)
• Add support for --prefix and --with installations in find_uv_bin (#​14184)
• Add support for discovering base prefix installations in find_uv_bin (#​14181)
• Improve error messages in find_uv_bin (#​14182)
• Warn when two packages write to the same module (#​13437)

Preview features

• Add support for package-level conflicts in workspaces (#​14906)

Configuration

• Add UV_DEV and UV_NO_DEV environment variables (for --dev and --no-dev) (#​15010)

Bug fixes

• Fix regression where --require-hashes applied to build dependencies in uv pip install (#​15153)
• Ignore GraalPy devtags (#​15013)
• Include all site packages directories in ephemeral environment overlays (#​15121)
• Search in the user scheme scripts directory last in find_uv_bin (#​14191)

Documentation

• Add missing periods (.) to list elements in Features docs page (#​15138)

v0.8.6

Compare Source

This release contains hardening measures to address differentials in behavior between uv and Python's built-in ZIP parser (CVE-2025-54368).

Prior to this release, attackers could construct ZIP files that would be extracted differently by pip, uv, and other tools. As a result, ZIPs could be constructed that would be considered harmless by (e.g.) scanners, but contain a malicious payload when extracted by uv. As of v0.8.6, uv now applies additional checks to reject such ZIPs.

Thanks to a triage effort with the Python Security Response Team and PyPI maintainers, we were able to determine that these differentials were not exploited via PyPI during the time they were present. The PyPI team has also implemented similar checks and now guards against these parsing differentials on upload.

Although the practical risk of exploitation is low, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this advisory a CVE identifier and have given it a "moderate" severity suggestion.

These changes have been validated against the top 15,000 PyPI packages; however, it's plausible that a non-malicious ZIP could be falsely rejected with this additional hardening. As an escape hatch, users who do encounter breaking changes can enable UV_INSECURE_NO_ZIP_VALIDATION to restore the previous behavior. If you encounter such a rejection, please file an issue in uv and to the upstream package.

For additional information, please refer to the following blog posts:

• Astral: uv security advisory: ZIP payload obfuscation
• PyPI: Preventing ZIP parser confusion attacks on Python package installers

Security

• Harden ZIP streaming to reject repeated entries and other malformed ZIP files (#​15136)

Python

• Add CPython 3.13.6

Configuration

• Add support for per-project build-time environment variables (#​15095)

Bug fixes

• Avoid invalid simplification with conflict markers (#​15041)
• Respect UV_HTTP_RETRIES in uv publish (#​15106)
• Support UV_NO_EDITABLE where --no-editable is supported (#​15107)
• Upgrade cargo-dist to add UV_INSTALLER_URL to PowerShell installer (#​15114)
• Upgrade h2 again to avoid too_many_internal_resets errors (#​15111)
• Consider pythonw when copying entry points in uv run (#​15134)

Documentation

• Ensure symlink warning is shown (#​15126)

v0.8.5

Compare Source

Enhancements

• Enable uv run with a GitHub Gist (#​15058)
• Improve HTTP response caching log messages (#​15067)
• Show wheel tag hints in install plan (#​15066)
• Support installing additional executables in uv tool install (#​14014)

Preview features

• Enable extra build dependencies to 'match runtime' versions (#​15036)
• Remove duplicate extra-build-dependencies warnings for uv pip (#​15088)
• Use "option" instead of "setting" in pylock warning (#​15089)
• Respect extra build requires when reading from wheel cache (#​15030)
• Preserve lowered extra build dependencies (#​15038)

Bug fixes

• Add Python versions to markers implied from wheels (#​14913)
• Ensure consistent indentation when adding dependencies (#​14991)
• Fix handling of python-preference = system when managed interpreters are on the PATH (#​15059)
• Fix symlink preservation in virtual environment creation (#​14933)
• Gracefully handle entrypoint permission errors (#​15026)
• Include wheel hashes from local Simple indexes (#​14993)
• Prefer system Python installations over managed ones when --system is used (#​15061)
• Remove retry wrapper when matching on error kind (#​14996)
• Revert h2 upgrade (#​15079)

Documentation

• Improve visibility of copy and line separator in dark mode (#​14987)

v0.8.4

Compare Source

Enhancements

• Improve styling of warning cause chains (#​14934)
• Extend wheel filtering to Android tags (#​14977)
• Perform wheel lockfile filtering based on platform and OS intersection (#​14976)
• Clarify messaging when a new resolution needs to be performed (#​14938)

Preview features

• Add support for extending package's build dependencies with extra-build-dependencies (#​14735)
• Split preview mode into separate feature flags (#​14823)

Configuration

• Add support for package specific exclude-newer dates via exclude-newer-package (#​14489)

Bug fixes

• Avoid invalidating lockfile when path or workspace dependencies define explicit indexes (#​14876)
• Copy entrypoints that have a shebang that differs in python vs python3 (#​14970)
• Fix incorrect file permissions in wheel packages (#​14930)
• Update validation for environments and required-environments in uv.toml (#​14905)

Documentation

• Show uv_build in projects documentation (#​14968)
• Add UV_ prefix to installer environment variables (#​14964)
• Un-hide uv from --build-backend options (#​14939)
• Update documentation for preview flags (#​14902)

---

Configuration

📅 Schedule: Branch creation - Between 01:00 AM and 05:59 AM, only on Tuesday ( * 1-5 * * 2 ) in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.68%. Comparing base (7403d8e) to head (7e1ac1e).
⚠️ Report is 1 commits behind head on 16/edge.

❌ Your project check has failed because the head coverage (68.68%) is below the target coverage (70.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff            @@
##           16/edge    #1047   +/-   ##
========================================
  Coverage    68.68%   68.68%           
========================================
  Files           15       15           
  Lines         4043     4043           
  Branches       582      582           
========================================
  Hits          2777     2777           
  Misses        1058     1058           
  Partials       208      208           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.