chore(deps): bump uv-build from 0.9.5 to 0.9.6 in /.github/requirements

[dependabot]

Bumps uv-build from 0.9.5 to 0.9.6.

Release notes

Sourced from uv-build's releases.

0.9.6

Release Notes

Released on 2025-10-29.

This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details.

Security

• Address ZIP parsing differentials (GHSA-pqhf-p39g-3x64)

Python

• Upgrade GraalPy to 25.0.1 (#16401)

Enhancements

• Add --clear to uv build to remove old build artifacts (#16371)
• Add --no-create-gitignore to uv build (#16369)
• Do not error when a virtual environment directory cannot be removed due to a busy error (#16394)
• Improve hint on pip install --system when externally managed (#16392)
• Running uv lock --check with outdated lockfile will print that --check was passed, instead of --locked (#16322)
• Update uv init template for Maturin (#16449)
• Improve ordering of Python sources in logs (#16463)
• Restore DockerHub release images and annotations (#16441)

Bug fixes

• Check for matching Python implementation during uv python upgrade (#16420)
• Deterministically order --find-links distributions (#16446)
• Don't panic in uv export --frozen when the lockfile is outdated (#16407)
• Fix root of uv tree when --package is used with circular dependencies (#15908)
• Show package list with pip freeze --quiet (#16491)
• Limit uv auth login pyx.dev retries to 60s (#16498)
• Add an empty group with uv add --group ... -r ... (#16490)

Documentation

• Update docs for maturin build backend init template (#16469)
• Update docs to reflect previous changes to signal forwarding semantics (#16430)
• Add instructions for installing via MacPorts (#16039)

Install uv 0.9.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.6/uv-installer.sh | sh

... (truncated)

Changelog

Sourced from uv-build's changelog.

0.9.6

Released on 2025-10-29.

This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details.

Security

• Address ZIP parsing differentials (GHSA-pqhf-p39g-3x64)

Python

• Upgrade GraalPy to 25.0.1 (#16401)

Enhancements

• Add --clear to uv build to remove old build artifacts (#16371)
• Add --no-create-gitignore to uv build (#16369)
• Do not error when a virtual environment directory cannot be removed due to a busy error (#16394)
• Improve hint on pip install --system when externally managed (#16392)
• Running uv lock --check with outdated lockfile will print that --check was passed, instead of --locked (#16322)
• Update uv init template for Maturin (#16449)
• Improve ordering of Python sources in logs (#16463)
• Restore DockerHub release images and annotations (#16441)

Bug fixes

• Check for matching Python implementation during uv python upgrade (#16420)
• Deterministically order --find-links distributions (#16446)
• Don't panic in uv export --frozen when the lockfile is outdated (#16407)
• Fix root of uv tree when --package is used with circular dependencies (#15908)
• Show package list with pip freeze --quiet (#16491)
• Limit uv auth login pyx.dev retries to 60s (#16498)
• Add an empty group with uv add --group ... -r ... (#16490)

Documentation

• Update docs for maturin build backend init template (#16469)
• Update docs to reflect previous changes to signal forwarding semantics (#16430)
• Add instructions for installing via MacPorts (#16039)

Commits

• 2652244 Bump version to 0.9.6 (#16500)
• 19372ff Update Rust crate etcetera to 0.11.0 (#16501)
• de96aa1 Use std home_dir instead of home crate (#16483)
• db1d34e Support GitHub Gist URLs via HTTP redirects in uv run (#16451)
• c6d0b41 Limit uv auth login pyx.dev retries to 60s (#16498)
• 2d54f32 Fix a small clippy warning (#16499)
• c4f5741 Add an empty group with uv add -r (#16490)
• da659fe Merge commit from fork
• 41cd3d1 Sync latest Python releases (#16486)
• a759612 Show package list with pip freeze --quiet (#16491)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)