Skip to content

build(deps): update uv (patch) #598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): update uv (patch) #598

wants to merge 1 commit into from
+4 −4

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 10, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change Age Confidence
astral-sh/setup-uv action patch v6.4.1 -> v6.4.3 age confidence
astral-sh/uv uses-with patch 0.8.0 -> 0.8.9 age confidence
astral-sh/uv-pre-commit repository patch 0.8.0 -> 0.8.9 age confidence
ghcr.io/astral-sh/uv stage patch 0.8.0 -> 0.8.9 age confidence
uv (source, changelog) patch 0.8.0 -> 0.8.9 age confidence

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

Release Notes

astral-sh/setup-uv (astral-sh/setup-uv)

v6.4.3: 🌈 fix relative paths starting with dots

Compare Source

🐛 Bug fixes

v6.4.2: 🌈 Interpret relative inputs as under working-directory

Compare Source

Changes

This release will interpret relative paths in inputs as relative
to the value of working-directory (default is ${{ github.workspace }}) .
This means the following configuration

- uses: astral-sh/setup-uv@v6
   with:
     working-directory: /my/path
     cache-dependency-glob: uv.lock

will look for the cache-dependency-glob under /my/path/uv.lock

🐛 Bug fixes
🧰 Maintenance
astral-sh/uv (astral-sh/uv)

v0.8.9

Compare Source

Enhancements
  • Add --reinstall flag to uv python upgrade (#​15194)
Bug fixes
  • Include build settings in cache key for registry source distribution lookups (#​15225)
  • Avoid creating bin links on uv python upgrade if they don't already exist (#​15192)
  • Respect system proxies on macOS and Windows (#​15221)
Documentation

v0.8.8

Compare Source

Bug fixes
  • Fix find_uv_bin compatibility with Python <3.10 (#​15177)

v0.8.7

Compare Source

Python
  • On Mac/Linux, libtcl, libtk, and _tkinter are built as separate shared objects, which fixes matplotlib's tkagg backend (the default on Linux), Pillow's PIL.ImageTk library, and other extension modules that need to use libtcl/libtk directly.
  • Tix is no longer provided on Linux. This is a deprecated Tk extension that appears to have been previously broken.

See the python-build-standalone release notes for details.

Enhancements
  • Do not update uv.lock when using --isolated (#​15154)
  • Add support for --prefix and --with installations in find_uv_bin (#​14184)
  • Add support for discovering base prefix installations in find_uv_bin (#​14181)
  • Improve error messages in find_uv_bin (#​14182)
  • Warn when two packages write to the same module (#​13437)
Preview features
  • Add support for package-level conflicts in workspaces (#​14906)
Configuration
  • Add UV_DEV and UV_NO_DEV environment variables (for --dev and --no-dev) (#​15010)
Bug fixes
  • Fix regression where --require-hashes applied to build dependencies in uv pip install (#​15153)
  • Ignore GraalPy devtags (#​15013)
  • Include all site packages directories in ephemeral environment overlays (#​15121)
  • Search in the user scheme scripts directory last in find_uv_bin (#​14191)
Documentation
  • Add missing periods (.) to list elements in Features docs page (#​15138)

v0.8.6

Compare Source

This release contains hardening measures to address differentials in behavior between uv and Python's built-in ZIP parser (CVE-2025-54368).

Prior to this release, attackers could construct ZIP files that would be extracted differently by pip, uv, and other tools. As a result, ZIPs could be constructed that would be considered harmless by (e.g.) scanners, but contain a malicious payload when extracted by uv. As of v0.8.6, uv now applies additional checks to reject such ZIPs.

Thanks to a triage effort with the Python Security Response Team and PyPI maintainers, we were able to determine that these differentials were not exploited via PyPI during the time they were present. The PyPI team has also implemented similar checks and now guards against these parsing differentials on upload.

Although the practical risk of exploitation is low, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this advisory a CVE identifier and have given it a "moderate" severity suggestion.

These changes have been validated against the top 15,000 PyPI packages; however, it's plausible that a non-malicious ZIP could be falsely rejected with this additional hardening. As an escape hatch, users who do encounter breaking changes can enable UV_INSECURE_NO_ZIP_VALIDATION to restore the previous behavior. If you encounter such a rejection, please file an issue in uv and to the upstream package.

For additional information, please refer to the following blog posts:

Security
  • Harden ZIP streaming to reject repeated entries and other malformed ZIP files (#​15136)
Python
  • Add CPython 3.13.6
Configuration
  • Add support for per-project build-time environment variables (#​15095)
Bug fixes
  • Avoid invalid simplification with conflict markers (#​15041)
  • Respect UV_HTTP_RETRIES in uv publish (#​15106)
  • Support UV_NO_EDITABLE where --no-editable is supported (#​15107)
  • Upgrade cargo-dist to add UV_INSTALLER_URL to PowerShell installer (#​15114)
  • Upgrade h2 again to avoid too_many_internal_resets errors (#​15111)
  • Consider pythonw when copying entry points in uv run (#​15134)
Documentation
  • Ensure symlink warning is shown (#​15126)

v0.8.5

Compare Source

Enhancements
  • Enable uv run with a GitHub Gist (#​15058)
  • Improve HTTP response caching log messages (#​15067)
  • Show wheel tag hints in install plan (#​15066)
  • Support installing additional executables in uv tool install (#​14014)
Preview features
  • Enable extra build dependencies to 'match runtime' versions (#​15036)
  • Remove duplicate extra-build-dependencies warnings for uv pip (#​15088)
  • Use "option" instead of "setting" in pylock warning (#​15089)
  • Respect extra build requires when reading from wheel cache (#​15030)
  • Preserve lowered extra build dependencies (#​15038)
Bug fixes
  • Add Python versions to markers implied from wheels (#​14913)
  • Ensure consistent indentation when adding dependencies (#​14991)
  • Fix handling of python-preference = system when managed interpreters are on the PATH (#​15059)
  • Fix symlink preservation in virtual environment creation (#​14933)
  • Gracefully handle entrypoint permission errors (#​15026)
  • Include wheel hashes from local Simple indexes (#​14993)
  • Prefer system Python installations over managed ones when --system is used (#​15061)
  • Remove retry wrapper when matching on error kind (#​14996)
  • Revert h2 upgrade (#​15079)
Documentation
  • Improve visibility of copy and line separator in dark mode (#​14987)

v0.8.4

Compare Source

Enhancements
  • Improve styling of warning cause chains (#​14934)
  • Extend wheel filtering to Android tags (#​14977)
  • Perform wheel lockfile filtering based on platform and OS intersection (#​14976)
  • Clarify messaging when a new resolution needs to be performed (#​14938)
Preview features
  • Add support for extending package's build dependencies with extra-build-dependencies (#​14735)
  • Split preview mode into separate feature flags (#​14823)
Configuration
  • Add support for package specific exclude-newer dates via exclude-newer-package (#​14489)
Bug fixes
  • Avoid invalidating lockfile when path or workspace dependencies define explicit indexes (#​14876)
  • Copy entrypoints that have a shebang that differs in python vs python3 (#​14970)
  • Fix incorrect file permissions in wheel packages (#​14930)
  • Update validation for environments and required-environments in uv.toml (#​14905)
Documentation
  • Show uv_build in projects documentation (#​14968)
  • Add UV_ prefix to installer environment variables (#​14964)
  • Un-hide uv from --build-backend options (#​14939)
  • Update documentation for preview flags (#​14902)

v0.8.3

Compare Source

Python
  • Add CPython 3.14.0rc1

See the python-build-standalone release notes for more details.

Enhancements
  • Allow non-standard entrypoint names in uv_build (#​14867)
  • Publish riscv64 wheels to PyPI (#​14852)
Bug fixes
  • Avoid writing redacted credentials to tool receipt (#​14855)
  • Respect --with versions over base environment versions (#​14863)
  • Respect credentials from all defined indexes (#​14858)
  • Fix missed stabilization of removal of registry entry during Python uninstall (#​14859)
  • Improve concurrency safety of Python downloads into cache (#​14846)
Documentation
  • Fix typos in uv_build reference documentation (#​14853)
  • Move the "Cargo" install method further down in docs (#​14842)

v0.8.2

Compare Source

Enhancements
  • Add derivation chains for dependency errors (#​14824)
Configuration
Bug fixes
  • Avoid reading files in the environment bin that are not entrypoints (#​14830)
  • Avoid removing empty directories when constructing virtual environments (#​14822)
  • Preserve index URL priority order when writing to pyproject.toml (#​14831)
Rust API
  • Expose tls_built_in_root_certs for client (#​14816)
Documentation

v0.8.1

Compare Source

Enhancements
  • Add support for HF_TOKEN (#​14797)
  • Allow --config-settings-package to apply configuration settings at the package level (#​14573)
  • Create (e.g.) python3.13t executables in uv venv (#​14764)
  • Disallow writing symlinks outside the source distribution target directory (#​12259)
  • Elide traceback when python -m uv in interrupted with Ctrl-C on Windows (#​14715)
  • Match --bounds formatting for uv_build bounds in uv init (#​14731)
  • Support extras and dependency_groups markers in PEP 508 grammar (#​14753)
  • Support extras and dependency_groups markers on uv pip install and uv pip sync (#​14755)
  • Add hint to use uv self version when uv version cannot find a project (#​14738)
  • Improve error reporting when removing Python versions from the Windows registry (#​14722)
  • Make warnings about masked [tool.uv] fields more precise (#​14325)
Preview features
  • Emit JSON output in uv sync with --quiet (#​14810)
Bug fixes
  • Allow removal of virtual environments with missing interpreters (#​14812)
  • Apply Cache-Control overrides to response, not request headers (#​14736)
  • Copy entry points into ephemeral environments to ensure layers are respected (#​14790)
  • Workaround Jupyter Lab application directory discovery in ephemeral environments (#​14790)
  • Enforce requires-python in pylock.toml (#​14787)
  • Fix kebab casing of README variants in build backend (#​14762)
  • Improve concurrency resilience of removing Python versions from the Windows registry (#​14717)
  • Retry HTTP requests on invalid data errors (#​14703)
  • Update virtual environment removal to delete pyvenv.cfg last (#​14808)
  • Error on unknown fields in dependency-metadata (#​14801)
Documentation
  • Recommend installing setup-uv after setup-python in Github Actions integration guide (#​14741)
  • Clarify which portions of requires-python behavior are consistent with pip (#​14752)
astral-sh/uv-pre-commit (astral-sh/uv-pre-commit)

v0.8.9

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.9

v0.8.8

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.8

v0.8.7

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.7

v0.8.6

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.6

v0.8.5

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.5

v0.8.4

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.4

v0.8.3

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.3

v0.8.2

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.2

v0.8.1

Compare Source

See: https://github.com/astral-sh/uv/releases/tag/0.8.1

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/patch-uv branch from 9d46e35 to b14e274 Compare July 14, 2025 20:49
@renovate renovate bot changed the title build(deps): update uv to v0.7.20 (patch) build(deps): update uv to v0.7.21 (patch) Jul 14, 2025
@renovate renovate bot force-pushed the renovate/patch-uv branch from b14e274 to ae086b5 Compare July 17, 2025 16:50
@renovate renovate bot changed the title build(deps): update uv to v0.7.21 (patch) build(deps): update uv (patch) Jul 17, 2025
@renovate renovate bot force-pushed the renovate/patch-uv branch from ae086b5 to b06b966 Compare July 17, 2025 22:25
@renovate renovate bot changed the title build(deps): update uv (patch) build(deps): update uv to v0.7.22 (patch) Jul 17, 2025
@renovate renovate bot changed the title build(deps): update uv to v0.7.22 (patch) build(deps): update uv to v0.7.22 (patch) - autoclosed Jul 21, 2025
@renovate renovate bot closed this Jul 21, 2025
@renovate renovate bot deleted the renovate/patch-uv branch July 21, 2025 14:18
@renovate renovate bot changed the title build(deps): update uv to v0.7.22 (patch) - autoclosed build(deps): update uv to v0.7.22 (patch) Jul 22, 2025
@renovate renovate bot reopened this Jul 22, 2025
@renovate renovate bot force-pushed the renovate/patch-uv branch from fae10e1 to b06b966 Compare July 22, 2025 19:43
@renovate renovate bot changed the title build(deps): update uv to v0.7.22 (patch) build(deps): update uv to v0.8.1 (patch) Jul 22, 2025
@renovate renovate bot force-pushed the renovate/patch-uv branch from b06b966 to 480b47d Compare July 22, 2025 23:39
@renovate renovate bot changed the title build(deps): update uv to v0.8.1 (patch) build(deps): update uv (patch) Jul 22, 2025
@renovate renovate bot changed the title build(deps): update uv (patch) build(deps): update uv to v0.8.2 (patch) Jul 23, 2025
@renovate renovate bot force-pushed the renovate/patch-uv branch 2 times, most recently from 5ab71e9 to a25bc12 Compare July 23, 2025 17:01
@renovate renovate bot changed the title build(deps): update uv to v0.8.2 (patch) build(deps): update uv (patch) Jul 23, 2025
@renovate renovate bot force-pushed the renovate/patch-uv branch 5 times, most recently from 0f48bc8 to f115ee8 Compare July 30, 2025 23:03
@renovate renovate bot force-pushed the renovate/patch-uv branch 4 times, most recently from 686da90 to 158d9f3 Compare August 9, 2025 00:54
@renovate renovate bot force-pushed the renovate/patch-uv branch 2 times, most recently from 4e8d04c to c55e864 Compare August 12, 2025 03:44
@renovate renovate bot force-pushed the renovate/patch-uv branch from c55e864 to 2dbdc6e Compare August 12, 2025 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mschoettle mschoettle

Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mschoettle