Skip to content

Update dependency uv to v0.11.15 [SECURITY]#8

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-uv-vulnerability
Open

Update dependency uv to v0.11.15 [SECURITY]#8
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-uv-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Aug 8, 2025
edited
Loading

Copy link
Copy Markdown

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
uv (source, changelog) ==0.4.10==0.11.15 age confidence

uv allows ZIP payload obfuscation through parsing differentials

CVE-2025-54368 / GHSA-8qf3-x8v5-2pj8

More information

Details

Impact

In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers:

  1. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
  2. An attacker could contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.

In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.

The ZIP standard is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.

The practical impact of these differentials is limited by a number of factors:

  • To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv install $package with an attacker-controlled $package.
  • When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
  • If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
  • The practical impact of these differentials is limited by a coordinated fix to Warehouse, PyPI's backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.
Patches

Versions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.

Workarounds

Users are advised to upgrade to 0.8.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

Attribution

This vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

uv has differential in tar extraction with PAX headers

GHSA-w476-p2h3-79g9

More information

Details

Impact

In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a result, an attacker could contrive a source distribution (as a tar archive) that would extract differently when installed via uv versus other Python package installers.

The underlying parsing differential here originates with astral-tokio-tar, which disclosed this vulnerability as CVE-2025-62518.

In practice, the impact of this vulnerability is low: only source distributions can be formatted as tar archives, and source distributions execute arbitrary code at build/installation time by definition. Consequently, a parser differential in tar extraction is strictly less powerful than the capabilities already exposed to an attacker who has the ability to control source distributions.

However, this particular source of malleability in source distributions is unintentional and not operating by design, and therefore we consider it a vulnerability despite its overlap in capabilities with intended behavior.

Patches

Versions 0.9.5 and newer of uv address the vulnerability above. Users should upgrade to 0.9.5 or newer.

Workarounds

Users are advised to upgrade to version 0.9.5 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.

References
  • See CVE-2025-62518 for the corresponding advisory against astral-tokio-tar

Severity

Low

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

uv allows ZIP payload obfuscation through parsing differentials

GHSA-pqhf-p39g-3x64

More information

Details

Impact

In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other components of the Python packaging ecosystem:

  1. Central directory entries in a ZIP archive can contain comment fields. However, uv would assume that these fields were not present, since they aren't widely used. Consequently, a ZIP archive could be constructed where uv would interpret the contents of a central directory comment field as ZIP control structures (such as a new central directory entry), rather than skipping over them.
  2. Both local file entries and central directory entries contain filename fields, which are used to place archive members on disk. These fields are arbitrary sequences of bytes, and may therefore be invalid or ambiguous. For example, they may contain ASCII null bytes, in which case different ZIP extractors behave differently: Python's zipfile module truncates the filename at the first null, while uv would skip (not extract) any archive members whose filenames contained nulls. Because of this difference, a ZIP archive could be constructed that would extract differently across different Python package installers.

In both cases, the outcome is that an attacker may be able to produce a ZIP with a consistent digest that expands differently with different Python package installers.

Like with GHSA-8qf3-x8v5-2pj8, the impact of these differentials is limited by a number of factors:

  • To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv pip install $package or similar with an attacker-controlled $package.
    When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
  • If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
Patches

Versions 0.9.6 and newer of uv address both of the parser differentials above, by properly handling comments in central directory entries and by refusing to process ZIPs that contain filename fields that are unlikely to be interpreted consistently across other ZIP parser implementations.

Workarounds

Users are advised to upgrade to 0.9.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

Attribution

This vulnerability was disclosed by Caleb Brown (Google).

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

uv vulnerable to arbitrary file deletion through RECORD entries

GHSA-pjjw-68hj-v9mw

More information

Details

Impact

Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall.

uv uses the RECORD to determine files to remove on uninstall. Consequently, a malicious or malformed wheel could induce deletion of arbitrary files outside of the wheel’s installation prefix on uninstall.

uv does not use the RECORD file to determine wheel file paths. Invalid RECORD entries cannot be used to create or modify files in arbitrary locations.

Standards-compliant Python packaging tooling does not produce RECORD files that exhibit this behavior; an attacker must manually manipulate the RECORD. A user must install and uninstall the malformed wheel to be affected. An attack must guess the depth of the installation prefix path in order to target system files.

Absolute paths in RECORD files are not allowed by the specification and, when present, uv always treats them as rooted in the wheel’s installation prefix. Absolute paths cannot be used to delete arbitrary files.

Only files can be deleted, attempts to delete a directory via an invalid RECORD entry will fail.

Patches

Versions 0.11.6 and newer of uv address the validation gap above, by removing invalid entries from RECORD files on wheel installation and ignoring RECORD paths that would escape the installation prefix on uninstall.

Workarounds

Users are advised to upgrade to 0.11.6 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.

Severity

  • CVSS Score: 2.1 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

uv is vulnerable to arbitrary file write through entry point names

GHSA-4gg8-gxpx-9rph

More information

Details

Impact

In versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification (under console_scripts or gui_scripts), uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts directory.

A malicious wheel could use this to place an executable outside of the intended environment, including in a directory already present on the user's PATH. This could shadow or overwrite an existing executable and potentially result in unexpected code execution under the wheel's control, even if the wheel's installation environment was not explicitly added to PATH by the user.

In order to exploit this vulnerability, the attacker must induce their target into installing a malicious wheel.

Patches

uv 0.11.15 and newer address this vulnerability. Users are encouraged to upgrade to 0.11.15.

Workarounds

There is no workaround other than upgrading to uv 0.11.15.

Severity

Medium

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

astral-sh/uv (uv)

v0.11.15

Compare Source

Released on 2026-05-18.

Security
Enhancements
  • Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#​18741)
  • Add support for Azure request signing (#​19421)
  • Apply stricter validation to all wheel filename segments (#​19364)
  • Reject empty strings as an invalid package name (#​19435)
  • Use structured errors for signing authentication failures (#​19422)
Preview
Configuration
  • Respect required-environments in uv pip compile (#​19378)
Performance
  • Avoid parsing JSON manifest when local Python is available (#​19398)
  • Avoid walking nested directories in linker conflict registration (#​19382)
  • Optimize async wheel ZIP writing (#​19383)
  • Fix dead "already trimmed" fast-path in Version::only_release_trimmed (#​19425)
Bug fixes
  • Apply workspace-member [tool.uv.sources] credentials under uv sync --frozen (#​19423)
  • Skip empty directories in uv build outputs (#​19437)
  • Fix Git submodule handling when using relative paths (#​12156)
  • Fix line number reporting in netrc parsing (#​19452)
Documentation
  • Move Bazel auth helper setup into integration guide (#​19392)

v0.11.14

Compare Source

Released on 2026-05-12.

Enhancements
  • Add Astral mirror URL override (#​19206)
  • Ignore top_level.txt entries in uninstall that are not valid Python identifiers (#​19340)
Bug fixes
  • Avoid applying .env files in parent process (#​19343)
  • Filter ANSI codes in logging output (#​19311)
  • Fix uv tree showing extra-conditional deps for packages required without extras (#​19332)
  • Respect build options (e.g., --no-build) during lock validation (#​19366)

v0.11.13

Compare Source

Released on 2026-05-10.

Bug fixes
  • Include data files in editable builds (#​19312)
  • Respect --require-hashes when installing from pylock.toml files (#​19334)
Python
  • Add CPython 3.14.5

v0.11.12

Compare Source

Released on 2026-05-08.

Python
  • Add CPython 3.15.0b1
Enhancements
  • Add --no-editable support to uv pip install (#​19306)
  • Require git refs in URLs to be percent-encoded (#​19320)
Bug fixes
Documentation
  • Fix bug from inconsistent workflow name in GHA-PyPI guide example (#​19309)

v0.11.11

Compare Source

Released on 2026-05-06.

Bug fixes
  • Accept legacy ID format from pre-0.11.9 cache entries (#​19301)

v0.11.10

Compare Source

Released on 2026-05-05.

Bug fixes
  • Allow pre-release Python requests with non-zero patch versions (#​19286)

v0.11.9

Compare Source

Released on 2026-05-04.

This release includes a special release candidate for the next Python 3.14 patch release. Python 3.14 included a new garbage collection implementation, which reduced pause times but caused significant unexpected memory pressure in production environments. In 3.14.5 and 3.15, the previous garbage collection implementation will be restored.

We would greatly appreciate if you tested the 3.14.5rc1 version included in this release. The stable version is expected to be released soon and any feedback on potential issues would be helpful to the Python development team.

For more context, see the announcement, issue, and pull request.

Issues with the new release can be reported in the uv or CPython issue trackers.

Python
  • Upgrade PyPy to v7.3.22
  • Add CPython 3.14.5rc1
  • On macOS, CPython statically links libpython to match Linux
Enhancements
  • Omit compatible release desugaring for pre-release hints (#​19267)
  • Fix file locks on Android (#​18323)
Preview
  • uv audit add reporting for adverse project statuses (#​19128)
Bug fixes
  • Discover versioned Python executables when requires-python pins a version (#​18700)
  • Fix URL prefix matching to require path boundaries (#​19154)
  • Fix transitive Git path dependencies in lockfiles (#​19269)
  • Handle incorrect unlock error in LockedFile::drop on Wine (#​19229)
  • Prevent uninstalling site-packages for empty top_level.txt in .egg-info (#​19114)
  • Use symlinks instead of junctions on Wine (#​19213)
  • Fix floating-point environment handling on ARMv7 (#​19157)
  • Redact credentials from remote requirements URL in offline errors (#​19216)
  • Windows tramplolines no longer set PYTHONHOME and only set __PYVENV_LAUNCHER__ for virtual environments (#​19199)
Documentation
  • Mark --native-tls and UV_NATIVE_TLS as deprecated (#​18705)
  • Re-add pytorch-triton-rocm to PyTorch ROCm docs (#​19241)
  • Tweak changelog entries for 0.11.8 (#​19188)
  • Add 'Exporting lockfiles' to the Concepts->Projects index (#​19209)
  • Clarify that uv init creates git files / folders in the projects guide (#​19183)

v0.11.8

Compare Source

Released on 2026-04-27.

Enhancements
  • Add --python-downloads-json-url to python pin (#​19092)
  • Fetch uv from Astral mirror during self-update (#​18682)
  • Support pip uninstall -y (#​19082)
  • Add UV_PYTHON_NO_REGISTRY (#​19035)
  • Allow exclude-newer to be missing from the lockfile when exclude-newer-span is present (#​19024)
  • Only show the version number in uv self version --short (#​19019)
  • Silence warnings on empty SSL_CERT_DIR directory (#​19018)
  • Use a sentinel timestamp for relative exclude-newer and exclude-newer-package values in lockfiles (#​19022, #​19101)
Configuration
  • Add an environment variable for UV_NO_PROJECT (#​19052)
  • Expose UV_PYTHON_SEARCH_PATH for Python discovery PATH overrides (#​19034)
Bug fixes
  • Add rust-toolchain.toml to uv-build sdist (#​19131)
  • Ensure uv invocations of git do not inherit repository location environment variables (#​19088)
  • Redact pre-signed upload URLs in verbose output (#​19146)
  • Handle transitive URL dependencies in PEP 517 build requirements (#​19076, #​19086)
  • Support uv lock on a pyproject.toml that only contains dependency-groups (#​19087)
  • Disable transparent Python upgrades in projects when a patch version is requested via .python-version (#​19102)
  • Fix Python variant tagging in the Windows registry (#​19012)
  • Use a single codepath for extracting a .tar.zst wheel, disallowing external symlinks (#​19144)
Documentation
  • Bump astral-sh/setup-uv version in docs (#​19030)
  • Update PyTorch documentation for PyTorch 2.11 (#​19095)
  • Remove deprecated license classifiers from uv-build and add Python 3.14 classifier (#​19130)

v0.11.7

Compare Source

Released on 2026-04-15.

Python
  • Upgrade CPython build to 2026041 including an OpenSSL security upgrade (#​19004)
Enhancements
  • Elevate configuration errors to required-version mismatches (#​18977)
  • Further improve TLS certificate validation messages (#​18933)
  • Improve --exclude-newer hints (#​18952)
Preview features
  • Fix --script handling in uv audit (#​18970)
  • Fix traversal of extras in uv audit (#​18970)
Bug fixes
  • De-quote workspace metadata in linehaul data (#​18966)
  • Avoid installing tool workspace member dependencies as editable (#​18891)
  • Emit JSON report for uv sync --check failures (#​18976)
  • Filter and warn on invalid TLS certificates (#​18951)
  • Fix equality comparisons for version specifiers with ~= operators (#​18960)
  • Fix stale Python upgrade preview feature check in project environment construction (#​18961)
  • Improve Windows path normalization (#​18945)

v0.11.6

Compare Source

Released on 2026-04-09.

Bug fixes
  • Do not remove files outside the venv on uninstall (#​18942)
  • Validate and heal wheel RECORD during installation (#​18943)
  • Avoid uv cache clean errors due to Win32 path normalization (#​18856)

v0.11.5

Compare Source

Released on 2026-04-08.

Python
  • Add CPython 3.13.13, 3.14.4, and 3.15.0a8 (#​18908)
Enhancements
  • Fix build_system.requires error message (#​18911)
  • Remove trailing path separators in path normalization (#​18915)
  • Improve error messages for unsupported or invalid TLS certificates (#​18924)
Preview features
  • Add exclude-newer to [[tool.uv.index]] (#​18839)
  • uv audit: add context/warnings for ignored vulnerabilities (#​18905)
Bug fixes
  • Normalize persisted fork markers before lock equality checks (#​18612)
  • Clear junction properly when uninstalling Python versions on Windows (#​18815)
  • Report error cleanly instead of panicking on TLS certificate error (#​18904)
Documentation

v0.11.4

Compare Source

Released on 2026-04-07.

Python
  • Add CPython 3.13.13, 3.14.4, and 3.15.0a8 (#​18908)
Enhancements
  • Add support for --upgrade-group (#​18266)
  • Merge repeated archive URL hashes by version ID (#​18841)
  • Require all direct URL hash algorithms to match (#​18842)
Bug fixes
  • Avoid panics in environment finding via cycle detection (#​18828)
  • Enforce direct URL hashes for pyproject.toml dependencies (#​18786)
  • Error on --locked and --frozen when script lockfile is missing (#​18832)
  • Fix uv export extra resolution for workspace member and conflicting extras (#​18888)
  • Include conflicts defined in virtual workspace root (#​18886)
  • Recompute relative exclude-newer values during uv tree --outdated (#​18899)
  • Respect --exclude-newer in uv tool list --outdated (#​18861)
  • Sort by comparator to break specifier ties (#​18850)
  • Store relative timestamps in tool receipts (#​18901)
  • Track newly-activated extras when determining conflicts (#​18852)
  • Patch Cargo.lock in uv-build source distributions (#​18831)
Documentation
  • Clarify that --exclude-newer compares artifact upload times (#​18830)

v0.11.3

Compare Source

Released on 2026-04-01.

Enhancements
  • Add progress bar for hashing phase in uv publish (#​18752)
  • Add support for ROCm 7.2 (#​18730)
  • Emit abi3t tags for every abi3 version (#​18777)
  • Expand uv workspace metadata with dependency information from the lock (#​18356)
  • Implement support for PEP 803 (#​18767)
  • Pretty-print platform in built wheel errors (#​18738)
  • Publish installers to /installers/uv/latest on the mirror (#​18725)
  • Show free-threaded Python in built-wheel errors (#​18740)
Preview features
  • Add --ignore and --ignore-until-fixed to uv audit (#​18737)
Bug fixes
  • Bump simple API cache (#​18797)
  • Don't drop blake2b hashes (#​18794)
  • Handle broken range request implementations (#​18780)
  • Remove powerpc64-unknown-linux-gnu from release build targets (#​18800)
  • Respect dependency metadata overrides in uv pip check (#​18742)
  • Support debug CPython ABI tags in environment compatibility (#​18739)
Documentation

v0.11.2

Compare Source

Released on 2026-03-26.

Enhancements
  • Add a dedicated Windows PE editing error (#​18710)
  • Make uv self update fetch the manifest from the mirror first (#​18679)
  • Use uv reqwest client for self update (#​17982)
  • Show uv self update success and failure messages with --quiet (#​18645)
Preview features
  • Evaluate extras and groups when determining auditable packages (#​18511)
Bug fixes
  • Skip redundant project configuration parsing for uv run (#​17890)

v0.11.1

Compare Source

Released on 2026-03-24.

Bug fixes
  • Add missing hash verification for riscv64gc-unknown-linux-musl (#​18686)
  • Fallback to direct download when direct URL streaming is unsupported (#​18688)
  • Revert treating 'Dynamic' values as case-insensitive (#​18692)
  • Remove torchdata from list of packages to source from the PyTorch index (#​18703)
  • Special-case == Python version request ranges (#​9697)
Documentation
  • Cover --python <dir> in "Using arbitrary Python environments" (#​6457)
  • Fix version annotations for PS_MODULE_PATH and UV_WORKING_DIR (#​18691)

v0.11.0

Compare Source

Released on 2026-03-23.

Breaking changes

This release includes changes to the networking stack used by uv. While we think that breakage will be rare, it is possible that these changes will result in the rejection of certificates previously trusted by uv so we have marked the change as breaking out of an abundance of caution.

The changes are largely driven by the upgrade of reqwest, which powers uv's HTTP clients, to v0.13 which included some breaking changes to TLS certificate verification.

The following changes are included:

  • rustls-platform-verifier is used instead of rustls-native-certs and webpki for certificate verification

    This change should have no effect unless you are using the native-tls option to enable reading system certificates.

    rustls-platform-verifier delegates to the system for certificate validation (e.g., Security.framework on macOS) instead of eagerly loading certificates from the system and verifying them via webpki. The effects of this change will vary based on the operating system. In general, uv's certificate validation should now be more consistent with browsers and other native applications. However, this is the most likely cause of breaking changes in this release. Some previously failing certificate chains may succeed, and some previously accepted certificate chains may fail. In either case, we expect the validation to be more correct and welcome reports of regressions.

    In particular, because more responsibility for validating the certificate is transferred to your system's security library, some features like CA constraints or revocation of certificates via OCSP and CRLs may now be used.

    This change should improve performance when using system certificate on macOS, as uv no longer needs to load all certificates from the keychain at startup.

  • aws-lc is used instead of ring for a cryptography backend

    There should not be breaking changes from this change. We expect this to expand support for certificate signature algorithms.

  • --native-tls is deprecated in favor of a new --system-certs flag

    The --native-tls flag is still usable and has identical behavior to --system-certs.

    This change was made to reduce confusion about the TLS implementation uv uses. uv always uses rustls not native-tls.

  • Building uv on x86-64 and i686 Windows requires NASM

    NASM is required by aws-lc. If not found on the system, a prebuilt blob provided by aws-lc-sys will be used.

    If you are not building uv from source, this change has no effect.

    See the CONTRIBUTING guide for details.

  • Empty SSL_CERT_FILE values are ignored (for consistency with SSL_CERT_DIR)

See #​18550 for details.

Python
  • Enable frame pointers for improved profiling on Linux x86-64 and aarch64

See the python-build-standalone release notes for details.

Enhancements
  • Treat 'Dynamic' values as case-insensitive (#​18669)
  • Use a dedicated error for invalid cache control headers (#​18657)
  • Enable checksum verification in the generated installer script (#​18625)
Preview features
  • Add --service-format and --service-url to uv audit (#​18571)
Performance
  • Avoid holding flat index lock across indexes (#​18659)
Bug fixes
  • Find the dynamic linker on the file system when sniffing binaries fails (#​18457)
  • Fix export of conflicting workspace members with dependencies (#​18666)
  • Respect installed settings in uv tool list --outdated (#​18586)
  • Treat paths originating as PEP 508 URLs which contain expanded variables as relative (#​18680)
  • Fix uv export for workspace member packages with conflicts (#​18635)
  • Continue to alternative authentication providers when the pyx store has no token (#​18425)
  • Use redacted URLs for log messages in cached client (#​18599)
Documentation
  • Add details on Linux versions to the platform policy (#​18574)
  • Clarify FLASH_ATTENTION_SKIP_CUDA_BUILD guidance for flash-attn installs (#​18473)
  • Split the dependency bots page into two separate pages (#​18597)
  • Split the alternative indexes page into separate pages (#​18607)

v0.10.12

Compare Source

Released on 2026-03-19.

Python
Enhancements
  • Include uv's target triple in version report (#​18520)
  • Allow comma separated values in --no-emit-package (#​18565)
Preview features
Bug fixes
  • Improve reporting of managed interpreter symlinks in uv python list (#​18459)
  • Preserve end-of-line comments on previous entries when removing dependencies (#​18557)
  • Treat abi3 wheel Python version as a lower bound (#​18536)
  • Detect hard-float support on aarch64 kernels running armv7 userspace (#​18530)
Documentation
  • Add Python 3.15 to supported versions (#​18552)
  • Adjust the PyPy note (#​18548)
  • Move Pyodide to Tier 2 in the Python support policy (#​18561)
  • Move Rust and Python version support out of the Platform support policy (#​18535)
  • Update Docker guide with changes from uv-docker-example (#​18558)
  • Update the Python version policy (#​18559)

v0.10.11

Compare Source

Released on 2026-03-16.

Enhancements
  • Fetch Ruff release metadata from an Astral mirror (#​18358)
  • Use PEP 639 license metadata for uv itself (#​16477)
Performance
  • Improve distribution id performance (#​18486)
Bug fixes
  • Allow --project to refer to a pyproject.toml directly and reduce to a warning on other files (#​18513)
  • Disable SYSTEM_VERSION_COMPAT when querying interpreters on macOS (#​18452)
  • Enforce available distributions for supported environments (#​18451)
  • Fix uv sync --active recreating active environments when UV_PYTHON_INSTALL_DIR is relative (#​18398)
Documentation
  • Add missing -o requirements.txt in uv pip compile example (#​12308)
  • Link to organization security policy (#​18449)
  • Link to the AI policy in the contributing guide (#​18448)

v0.10.10

Compare Source

Released on 2026-03-13.

Python
Enhancements
  • Add --outdated flag to uv tool list (#​18318)
  • Add riscv64 musl target to build-release-binaries workflow (#​18228)
  • Fetch Ruff from an Astral mirror (#​18286)
  • Improve error handling for platform detection in Python downloads (#​18453)
  • Warn if --project directory does not exist (#​17714)
  • Warn when workspace member scripts are skipped due to missing build system (#​18389)
  • Update build backend versions used in uv init (#​18417)
  • Log explicit config file path in verbose output (#​18353)
  • Make uv cache clear an alias of uv cache clean (#​18420)
  • Reject invalid classifiers, warn on license classifiers in uv_build (#​18419)
Preview features
  • Add links to uv audit output (#​18392)
  • Output/report formatting for uv audit (#​18193)
  • Switch to batched OSV queries for uv audit (#​18394)
Bug fixes
  • Avoid sharing version metadata across indexes (#​18373)
  • Bump zlib-rs to 0.6.2 to fix panic on decompression of large wheels on Windows (#​18362)
  • Filter out unsupported environment wheels (#​18445)
  • Preserve absolute/relative paths in lockfiles (#​18176)
  • Recreate Python environments under uv tool install --force (#​18399)
  • Respect timestamp and other cache keys in cached environments (#​18396)
  • Simplify selected extra markers in uv export (#​18433)
  • Send pyx mint-token requests with a proper Content-Type (#​18334)
  • Fix Windows operating system and version reporting (#​18383)
Documentation
  • Update the platform support policy with a tier 3 section including freebsd and 32-bit windows (#​18345)

v0.10.9

Compare Source

Released on 2026-03-06.

Enhancements
  • Add fbgemm-gpu, fbgemm-gpu-genai, torchrec, and torchtune to the PyTorch list (#​18338)
  • Add torchcodec to PyTorch List (#​18336)
  • Log the duration we took before erroring (#​18231)
  • Warn when using uv_build settings without uv_build (#​15750)
  • Add fallback to /usr/lib/os-release on Linux system lookup failure (#​18349)
  • Use cargo auditable to include SBOM in uv builds (#​18276)
Configuration
  • Add an environment variable for UV_VENV_RELOCATABLE (#​18331)
Performance
  • Avoid toml Document overhead (#​18306)
  • Use a single global workspace cache (#​18307)
Bug fixes
  • Continue on trampoline job assignment failures (#​18291)
  • Handle the hard link limit gracefully instead of failing (#​17699)
  • Respect build constraints for workspace members (#​18350)
  • Revalidate editables and other dependencies in scripts (#​18328)
  • Support Python 3.13+ on Android (#​18301)
  • Support cp3-none-any (#​17064)
  • Skip tool environments with broken links to Python on Windows (#​17176)
Documentation
  • Add documentation for common marker values (#​18327)
  • Improve documentation on virtual dependencies (#​18346)

v0.10.8

Compare Source

Released on 2026-03-03.

Python
  • Add CPython 3.10.20
  • Add CPython 3.11.15
  • Add CPython 3.12.13
Enhancements
  • Add Docker images based on Docker Hardened Images (#​18247)
  • Add resolver hint when --exclude-newer filters out all versions of a package (#​18217)
  • Configure a real retry minimum delay of 1s (#​18201)
  • Expand uv_build direct build compatibility (#​17902)
  • Fetch CPython from an Astral mirror by default (#​18207)
  • Download uv releases from an Astral mirror in installers by default (#​18191)
  • Add SBOM attestations to Docker images (#​18252)
  • Improve hint for installing meson-python when missing as build backend (#​15826)
Configuration
  • Add UV_INIT_BARE environment variable for uv init (#​18210)
Bug fixes

Note

PR body was truncated to here.

@renovate renovate Bot added the dependencies Dependencies label Aug 8, 2025
@renovate renovate Bot force-pushed the renovate/pypi-uv-vulnerability branch from 03eb08c to e4f8474 Compare October 23, 2025 08:14
@renovate renovate Bot changed the title Update dependency uv to v0.8.6 [SECURITY] Update dependency uv to v0.9.5 [SECURITY] Oct 23, 2025
@renovate renovate Bot force-pushed the renovate/pypi-uv-vulnerability branch from e4f8474 to 41230ca Compare November 1, 2025 19:43
@renovate renovate Bot changed the title Update dependency uv to v0.9.5 [SECURITY] Update dependency uv to v0.9.6 [SECURITY] Nov 1, 2025
@renovate renovate Bot force-pushed the renovate/pypi-uv-vulnerability branch from 41230ca to 1a8181e Compare April 15, 2026 18:53
@renovate renovate Bot changed the title Update dependency uv to v0.9.6 [SECURITY] Update dependency uv to v0.11.6 [SECURITY] Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/pypi-uv-vulnerability branch from 1a8181e to a992966 Compare May 30, 2026 19:09
@renovate renovate Bot changed the title Update dependency uv to v0.11.6 [SECURITY] Update dependency uv to v0.11.15 [SECURITY] May 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependencies

Projects

context_models
Status: Do

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants