Use a no-op timestamp for exclude-newer in lockfiles when a relative value is configured#19022
Merged
zanieb merged 3 commits intoApr 20, 2026
Merged
Conversation
zanieb
commented
Apr 16, 2026
|
|
||
| [options] | ||
| exclude-newer = "2024-04-17T00:00:00Z" | ||
| exclude-newer = "2024-04-17T00:00:00Z" # This has no effect and is included for backwards compatibility when using relative exclude-newer values. |
Member
Author
There was a problem hiding this comment.
Comment is probably too long?
zsol
reviewed
Apr 17, 2026
zsol
left a comment
Member
There was a problem hiding this comment.
I'm confused. This PR seems to only add a comment to the timestamp field, as well as a test case that establishes that when a no-op timestamp is present, it behaves accordingly.
But it does not actually change uv to add a no-op timestamp.
Member
Author
|
Confusing... maybe it just got dropped on rebase. Thanks for pointing out that was missing here. |
b176f84 to
45ce9c1
Compare
zsol
approved these changes
Apr 17, 2026
6037579 to
a8e80d6
Compare
When a relative exclude-newer span is present, write a fixed no-op timestamp (`0001-01-01T00:00:00Z`) instead of the computed one. The span is what drives resolution; the timestamp is only kept for backwards compatibility with older uv versions. An inline TOML comment documents this. Also fix the exclude-newer comparison to not short-circuit on relative timestamp drift, which would mask real package-level span changes. https://claude.ai/code/session_01Lo8AhpYnfK8nUeVhRkxTHQ
a8e80d6 to
e1c59c0
Compare
zanieb
commented
Apr 17, 2026
zanieb
commented
Apr 17, 2026
zanieb
added a commit
that referenced
this pull request
Apr 21, 2026
…ewer-span` is present (#19024) Following #19022 this is an incremental step towards removing `exclude-newer` timestamps from lockfiles. We don't remove it here, but we ensure from this version onward, uv will not behave poorly when the value is missing. This includes substantial refactoring to better represent the desired end state in our exclude-newer types.
zanieb
added a commit
that referenced
this pull request
Apr 21, 2026
kdeldycke
added a commit
to kdeldycke/repomatic
that referenced
this pull request
Apr 28, 2026
3 tasks
potiuk
added a commit
to potiuk/airflow
that referenced
this pull request
Apr 28, 2026
Pins `[tool.uv] required-version` (and the matching marker-tagged constants in breeze) to 0.11.8 across the root and the three workspace members that carried their own (stale) floor (`airflow-core`, `airflow-ctl`, `dev/mypy` — all previously `>=0.6.3`). The bump picks up the timestamp-elision fix from astral-sh/uv#19022 (closes astral-sh/uv#18708 — relative `exclude-newer` no longer writes a churning timestamp into uv.lock that two branches collide on). Drops uv's per-package cooldown to "12 hours" in both [tool.uv.exclude-newer-package] and [tool.uv.pip.exclude-newer-package]; without the override the project-wide 4-day window blocks a freshly-released uv from being adopted as the floor. The override is flagged "REMOVE BY 2026-05-01" — once 0.11.8 is older than the global 4-day cooldown the override is redundant. Bumps AIRFLOW_UV_VERSION across Dockerfiles, breeze constants, and the image-args doc to match. The `# sync-uv-min-version`-tagged test fixtures were auto-rewritten by the prek hook of the same name. uv.lock confirms the upstream fix is engaged: `exclude-newer` reads as the no-op `0001-01-01T00:00:00Z` placeholder.
potiuk
added a commit
to apache/airflow
that referenced
this pull request
Apr 28, 2026
Pins `[tool.uv] required-version` (and the matching marker-tagged constants in breeze) to 0.11.8 across the root and the three workspace members that carried their own (stale) floor (`airflow-core`, `airflow-ctl`, `dev/mypy` — all previously `>=0.6.3`). The bump picks up the timestamp-elision fix from astral-sh/uv#19022 (closes astral-sh/uv#18708 — relative `exclude-newer` no longer writes a churning timestamp into uv.lock that two branches collide on). Drops uv's per-package cooldown to "12 hours" in both [tool.uv.exclude-newer-package] and [tool.uv.pip.exclude-newer-package]; without the override the project-wide 4-day window blocks a freshly-released uv from being adopted as the floor. The override is flagged "REMOVE BY 2026-05-01" — once 0.11.8 is older than the global 4-day cooldown the override is redundant. Bumps AIRFLOW_UV_VERSION across Dockerfiles, breeze constants, and the image-args doc to match. The `# sync-uv-min-version`-tagged test fixtures were auto-rewritten by the prek hook of the same name. uv.lock confirms the upstream fix is engaged: `exclude-newer` reads as the no-op `0001-01-01T00:00:00Z` placeholder.
1 task
potiuk
added a commit
to apache/airflow
that referenced
this pull request
Apr 28, 2026
Pins `[tool.uv] required-version` (and the matching marker-tagged constants in breeze) to 0.11.8 across the root and the three workspace members that carried their own (stale) floor (`airflow-core`, `airflow-ctl`, `dev/mypy` — all previously `>=0.6.3`). The bump picks up the timestamp-elision fix from astral-sh/uv#19022 (closes astral-sh/uv#18708 — relative `exclude-newer` no longer writes a churning timestamp into uv.lock that two branches collide on). Drops uv's per-package cooldown to "12 hours" in both [tool.uv.exclude-newer-package] and [tool.uv.pip.exclude-newer-package]; without the override the project-wide 4-day window blocks a freshly-released uv from being adopted as the floor. The override is flagged "REMOVE BY 2026-05-01" — once 0.11.8 is older than the global 4-day cooldown the override is redundant. Bumps AIRFLOW_UV_VERSION across Dockerfiles, breeze constants, and the image-args doc to match. The `# sync-uv-min-version`-tagged test fixtures were auto-rewritten by the prek hook of the same name. uv.lock confirms the upstream fix is engaged: `exclude-newer` reads as the no-op `0001-01-01T00:00:00Z` placeholder. (cherry picked from commit dbfc27d)
potiuk
added a commit
to apache/airflow
that referenced
this pull request
Apr 28, 2026
Pins `[tool.uv] required-version` (and the matching marker-tagged constants in breeze) to 0.11.8 across the root and the three workspace members that carried their own (stale) floor (`airflow-core`, `airflow-ctl`, `dev/mypy` — all previously `>=0.6.3`). The bump picks up the timestamp-elision fix from astral-sh/uv#19022 (closes astral-sh/uv#18708 — relative `exclude-newer` no longer writes a churning timestamp into uv.lock that two branches collide on). Drops uv's per-package cooldown to "12 hours" in both [tool.uv.exclude-newer-package] and [tool.uv.pip.exclude-newer-package]; without the override the project-wide 4-day window blocks a freshly-released uv from being adopted as the floor. The override is flagged "REMOVE BY 2026-05-01" — once 0.11.8 is older than the global 4-day cooldown the override is redundant. Bumps AIRFLOW_UV_VERSION across Dockerfiles, breeze constants, and the image-args doc to match. The `# sync-uv-min-version`-tagged test fixtures were auto-rewritten by the prek hook of the same name. uv.lock confirms the upstream fix is engaged: `exclude-newer` reads as the no-op `0001-01-01T00:00:00Z` placeholder. (cherry picked from commit dbfc27d)
potiuk
added a commit
to apache/airflow
that referenced
this pull request
Apr 28, 2026
Pins `[tool.uv] required-version` (and the matching marker-tagged constants in breeze) to 0.11.8 across the root and the three workspace members that carried their own (stale) floor (`airflow-core`, `airflow-ctl`, `dev/mypy` — all previously `>=0.6.3`). The bump picks up the timestamp-elision fix from astral-sh/uv#19022 (closes astral-sh/uv#18708 — relative `exclude-newer` no longer writes a churning timestamp into uv.lock that two branches collide on). Drops uv's per-package cooldown to "12 hours" in both [tool.uv.exclude-newer-package] and [tool.uv.pip.exclude-newer-package]; without the override the project-wide 4-day window blocks a freshly-released uv from being adopted as the floor. The override is flagged "REMOVE BY 2026-05-01" — once 0.11.8 is older than the global 4-day cooldown the override is redundant. Bumps AIRFLOW_UV_VERSION across Dockerfiles, breeze constants, and the image-args doc to match. The `# sync-uv-min-version`-tagged test fixtures were auto-rewritten by the prek hook of the same name. uv.lock confirms the upstream fix is engaged: `exclude-newer` reads as the no-op `0001-01-01T00:00:00Z` placeholder. (cherry picked from commit dbfc27d)
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
May 8, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [uv](https://github.com/astral-sh/uv) | patch | `0.11.7` → `0.11.11` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (uv)</summary> ### [`v0.11.11`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01111) [Compare Source](astral-sh/uv@0.11.10...0.11.11) Released on 2026-05-06. ##### Bug fixes - Accept legacy ID format from pre-0.11.9 cache entries ([#​19301](astral-sh/uv#19301)) ### [`v0.11.10`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01110) [Compare Source](astral-sh/uv@0.11.9...0.11.10) Released on 2026-05-05. ##### Bug fixes - Allow pre-release Python requests with non-zero patch versions ([#​19286](astral-sh/uv#19286)) ### [`v0.11.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0119) [Compare Source](astral-sh/uv@0.11.8...0.11.9) Released on 2026-05-04. This release includes a special release candidate for the next Python 3.14 patch release. Python 3.14 included a new garbage collection implementation, which reduced pause times but caused significant unexpected memory pressure in production environments. In 3.14.5 and 3.15, the previous garbage collection implementation will be restored. We would greatly appreciate if you tested the 3.14.5rc1 version included in this release. The stable version is expected to be released soon and any feedback on potential issues would be helpful to the Python development team. For more context, see the [announcement](https://discuss.python.org/t/reverting-the-incremental-gc-in-python-3-14-and-3-15/107014), [issue](python/cpython#148726), and [pull request](python/cpython#148720). Issues with the new release can be reported in the uv or CPython issue trackers. ##### Python - Upgrade PyPy to v7.3.22 - Add CPython 3.14.5rc1 - On macOS, CPython statically links `libpython` to match Linux ##### Enhancements - Omit compatible release desugaring for pre-release hints ([#​19267](astral-sh/uv#19267)) - Fix file locks on Android ([#​18323](astral-sh/uv#18323)) ##### Preview - `uv audit` add reporting for adverse project statuses ([#​19128](astral-sh/uv#19128)) ##### Bug fixes - Discover versioned Python executables when `requires-python` pins a version ([#​18700](astral-sh/uv#18700)) - Fix URL prefix matching to require path boundaries ([#​19154](astral-sh/uv#19154)) - Fix transitive Git path dependencies in lockfiles ([#​19269](astral-sh/uv#19269)) - Handle incorrect unlock error in `LockedFile::drop` on Wine ([#​19229](astral-sh/uv#19229)) - Prevent uninstalling site-packages for empty `top_level.txt` in `.egg-info` ([#​19114](astral-sh/uv#19114)) - Use symlinks instead of junctions on Wine ([#​19213](astral-sh/uv#19213)) - Fix floating-point environment handling on ARMv7 ([#​19157](astral-sh/uv#19157)) - Redact credentials from remote requirements URL in offline errors ([#​19216](astral-sh/uv#19216)) - Windows tramplolines no longer set `PYTHONHOME` and only set `__PYVENV_LAUNCHER__` for virtual environments ([#​19199](astral-sh/uv#19199)) ##### Documentation - Mark `--native-tls` and `UV_NATIVE_TLS` as deprecated ([#​18705](astral-sh/uv#18705)) - Re-add `pytorch-triton-rocm` to PyTorch ROCm docs ([#​19241](astral-sh/uv#19241)) - Tweak changelog entries for 0.11.8 ([#​19188](astral-sh/uv#19188)) - Add 'Exporting lockfiles' to the Concepts->Projects index ([#​19209](astral-sh/uv#19209)) - Clarify that `uv init` creates git files / folders in the projects guide ([#​19183](astral-sh/uv#19183)) ### [`v0.11.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0118) [Compare Source](astral-sh/uv@0.11.7...0.11.8) Released on 2026-04-27. ##### Enhancements - Add `--python-downloads-json-url` to `python pin` ([#​19092](astral-sh/uv#19092)) - Fetch uv from Astral mirror during self-update ([#​18682](astral-sh/uv#18682)) - Support `pip uninstall -y` ([#​19082](astral-sh/uv#19082)) - Allow `exclude-newer` to be missing from the lockfile when `exclude-newer-span` is present ([#​19024](astral-sh/uv#19024)) - Only show the version number in `uv self version --short` ([#​19019](astral-sh/uv#19019)) - Silence warnings on empty `SSL_CERT_DIR` directory ([#​19018](astral-sh/uv#19018)) - Use a sentinel timestamp for relative `exclude-newer` and `exclude-newer-package` values in lockfiles ([#​19022](astral-sh/uv#19022), [#​19101](astral-sh/uv#19101)) ##### Configuration - Add `UV_PYTHON_NO_REGISTRY` ([#​19035](astral-sh/uv#19035)) - Add an environment variable for `UV_NO_PROJECT` ([#​19052](astral-sh/uv#19052)) - Expose `UV_PYTHON_SEARCH_PATH` for Python discovery `PATH` overrides ([#​19034](astral-sh/uv#19034)) ##### Bug fixes - Add `rust-toolchain.toml` to uv-build sdist ([#​19131](astral-sh/uv#19131)) - Ensure uv invocations of git do not inherit repository location environment variables ([#​19088](astral-sh/uv#19088)) - Redact pre-signed upload URLs in verbose output ([#​19146](astral-sh/uv#19146)) - Handle transitive URL dependencies in PEP 517 build requirements ([#​19076](astral-sh/uv#19076), [#​19086](astral-sh/uv#19086)) - Support `uv lock` on a `pyproject.toml` that only contains dependency-groups ([#​19087](astral-sh/uv#19087)) - Disable transparent Python upgrades in projects when a patch version is requested via `.python-version` ([#​19102](astral-sh/uv#19102)) - Fix Python variant tagging in the Windows registry ([#​19012](astral-sh/uv#19012)) - Ban external symlinks in `.tar.zst` wheels ([#​19144](astral-sh/uv#19144)) ##### Distributions - Remove deprecated license classifiers from uv-build and add Python 3.14 classifier ([#​19130](astral-sh/uv#19130)) ##### Documentation - Bump astral-sh/setup-uv version in docs ([#​19030](astral-sh/uv#19030)) - Update PyTorch documentation for PyTorch 2.11 ([#​19095](astral-sh/uv#19095)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjguNSIsInVwZGF0ZWRJblZlciI6IjQzLjE2OC41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6cGF0Y2giXX0=-->
vatsrahul1001
pushed a commit
to apache/airflow
that referenced
this pull request
May 20, 2026
Pins `[tool.uv] required-version` (and the matching marker-tagged constants in breeze) to 0.11.8 across the root and the three workspace members that carried their own (stale) floor (`airflow-core`, `airflow-ctl`, `dev/mypy` — all previously `>=0.6.3`). The bump picks up the timestamp-elision fix from astral-sh/uv#19022 (closes astral-sh/uv#18708 — relative `exclude-newer` no longer writes a churning timestamp into uv.lock that two branches collide on). Drops uv's per-package cooldown to "12 hours" in both [tool.uv.exclude-newer-package] and [tool.uv.pip.exclude-newer-package]; without the override the project-wide 4-day window blocks a freshly-released uv from being adopted as the floor. The override is flagged "REMOVE BY 2026-05-01" — once 0.11.8 is older than the global 4-day cooldown the override is redundant. Bumps AIRFLOW_UV_VERSION across Dockerfiles, breeze constants, and the image-args doc to match. The `# sync-uv-min-version`-tagged test fixtures were auto-rewritten by the prek hook of the same name. uv.lock confirms the upstream fix is engaged: `exclude-newer` reads as the no-op `0001-01-01T00:00:00Z` placeholder. (cherry picked from commit dbfc27d)
bugraoz93
added a commit
to apache/airflow
that referenced
this pull request
May 26, 2026
* [airflow-ctl-v0-1-test] Allow remote version check without authentication (#65099) (#65904) * fix(cli): allow remote version check without local config file * fix(cli): introduce NO_AUTH client * test(cli): add unit test for no-auth commands (cherry picked from commit 80cefde) Co-authored-by: rjgoyln <151457491+rjgoyln@users.noreply.github.com> * [airflow-ctl-v0-1-test] use existing safe_load function in airflowctl utils to load help texts (#65841) (#65903) (cherry picked from commit ad213e0) Co-authored-by: Justin Pakzad <114518232+justinpakzad@users.noreply.github.com> * [airflow-ctl-v0-1-test] airflowctl: Send backfill create and dry-run payloads as JSON (#65158) (#65937) (cherry picked from commit ec8977c) Co-authored-by: Henry Chen <henryhenry0512@gmail.com> * Bump uv floor to 0.11.8, override cooldown for uv (#66042) (#66057) Pins `[tool.uv] required-version` (and the matching marker-tagged constants in breeze) to 0.11.8 across the root and the three workspace members that carried their own (stale) floor (`airflow-core`, `airflow-ctl`, `dev/mypy` — all previously `>=0.6.3`). The bump picks up the timestamp-elision fix from astral-sh/uv#19022 (closes astral-sh/uv#18708 — relative `exclude-newer` no longer writes a churning timestamp into uv.lock that two branches collide on). Drops uv's per-package cooldown to "12 hours" in both [tool.uv.exclude-newer-package] and [tool.uv.pip.exclude-newer-package]; without the override the project-wide 4-day window blocks a freshly-released uv from being adopted as the floor. The override is flagged "REMOVE BY 2026-05-01" — once 0.11.8 is older than the global 4-day cooldown the override is redundant. Bumps AIRFLOW_UV_VERSION across Dockerfiles, breeze constants, and the image-args doc to match. The `# sync-uv-min-version`-tagged test fixtures were auto-rewritten by the prek hook of the same name. uv.lock confirms the upstream fix is engaged: `exclude-newer` reads as the no-op `0001-01-01T00:00:00Z` placeholder. (cherry picked from commit dbfc27d) * [airflow-ctl-v0-1-test] Align Dag capitalization from "DAG" to "Dag" for airflow-ctl/ (#66112) (#66217) Backport of #66112. Conflicts resolved by keeping v0-1-test base for unrelated divergences (only_new field, validate_model, is_backfillable property, DAGRunCollectionResponse multi-line docstring) and applying only the DAG -> Dag description-text changes — feature-related lines absent in v0-1-test were not introduced. Co-authored-by: hojeong park <parkhj062@gmail.com> * [airflow-ctl/v0-1-test] Increment version of airflowctl for RC (#67295) (#67384) * Increment version of airflowctl for RC * Change airflow-core usage for ctl * Change airflow-core usage for ctl and amend installation in docker * Prepare airflowctl for tests in CI * Amend install airflow and provider to cover airflowctl (cherry picked from commit 336a119) * [airflow-ctl/v0-1-test] airflowctl: make required CLI params positional, keep optional as --flag (#66768) (#67387) * airflowctl: make required CLI params positional, keep optional as --flag Auto-generated commands such as ``airflowctl dags get-details`` now accept required primitive parameters positionally: airflowctl dags get-details my_dag_id instead of the previous ``--dag-id my_dag_id`` form. Optional parameters and booleans keep the ``--flag`` form. This follows the dev-list lazy consensus on airflowctl parameter style. A parameter is considered required when the operation method declares it without a default and without ``| None`` in its annotation. Datamodel- expanded body fields are unaffected — they are not "parameters of the operation method" in this sense and continue to use ``--flag``. * tests: tmp_path fixture for command-factory; positional form for integration tests Two follow-ups to the positional-required-args change: - ``TestCommandFactory._save_temp_operations_py`` previously wrote a shared ``test_command.py`` in cwd; under pytest-xdist that file is raced by workers, so ``next(arg for arg in jobs_list_args if ...)`` in one test could see content written by another and raise ``StopIteration``. Helper now takes the per-test ``tmp_path`` and returns the full path. The classmethod ``teardown_method`` that removed the shared file is no longer needed (pytest auto-cleans ``tmp_path``). - The Airflow CTL PROD-image integration tests still invoked converted parameters with the old ``--flag value`` form (e.g. ``--variable-key=X``, ``--section X --option Y``, ``--dag-id=example_bash_operator``). Updated each occurrence to the positional form that the regenerated CLI now expects. Optional parameters (``--logical-date``, ``--run-after``, ``--is-paused``, ``--state``, ``--limit``, etc.) stay as ``--flag``. --------- (cherry picked from commit ffa426b) Signed-off-by: 1fanwang <1fannnw@gmail.com> Co-authored-by: Stefan Wang <1fannnw@gmail.com> * [airflow-ctl/v0-1-test] Add dags next execution command #66172 (#66188) (#67386) * Add airflowctl dags next-execution command #66172 * Add generated OpenAPI spec and UI types * Revert "Add generated OpenAPI spec and UI types" This reverts commit 6748ed8. * Update help text Dag definition --------- (cherry picked from commit 16ad479) Co-authored-by: Haseeb Malik <118837269+haseebmalik18@users.noreply.github.com> * Sync main to backport branch for airflowctl (#67559) * [airflow-ctl/v0-1-test] Add airflowctl 0.1.5 release notes (#67562) (#67576) * Add airflowctl 0.1.5 release notes * Add double backticks * Apply suggestions from code review * Amend release notes without backports and duplicates, add misc as commented visibility --------- (cherry picked from commit 1a1c145) Co-authored-by: Jens Scheffler <95105677+jscheffl@users.noreply.github.com> --------- Signed-off-by: 1fanwang <1fannnw@gmail.com> Co-authored-by: rjgoyln <151457491+rjgoyln@users.noreply.github.com> Co-authored-by: Justin Pakzad <114518232+justinpakzad@users.noreply.github.com> Co-authored-by: Henry Chen <henryhenry0512@gmail.com> Co-authored-by: Jarek Potiuk <jarek@potiuk.com> Co-authored-by: Yeonguk Choo <choo121600@gmail.com> Co-authored-by: hojeong park <parkhj062@gmail.com> Co-authored-by: Stefan Wang <1fannnw@gmail.com> Co-authored-by: Haseeb Malik <118837269+haseebmalik18@users.noreply.github.com> Co-authored-by: Jens Scheffler <95105677+jscheffl@users.noreply.github.com>
1 task
hbjydev
pushed a commit
to hbjydev/phoebe
that referenced
this pull request
May 29, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [uv](https://github.com/astral-sh/uv) | minor | `0.10.9` → `0.11.17` | --- ### Release Notes <details> <summary>astral-sh/uv (uv)</summary> ### [`v0.11.17`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01117) [Compare Source](astral-sh/uv@0.11.16...0.11.17) Released on 2026-05-28. ##### Enhancements - Add a diagnostic for `uv add` with standard library modules ([#​19572](astral-sh/uv#19572)) - Expose `uv workspace` and its `list` subcommand in help output ([#​19533](astral-sh/uv#19533)) - Improve the "403 forbidden" hint to suggest `ignore-error-codes` when applicable ([#​19521](astral-sh/uv#19521)) - Skip direct URL lock freshness checks while offline ([#​19596](astral-sh/uv#19596)) - Add `import-names` and `import-namespaces` support to `uv-build` ([PEP 794](https://peps.python.org/pep-0794/)) ([#​19380](astral-sh/uv#19380)) - Add a `--no-editable-package` flag to various commands ([#​19584](astral-sh/uv#19584)) - Infer Python version requests from source trees in `uv tool` invocations ([#​19577](astral-sh/uv#19577)) ##### Preview features - Add module owners to `uv workspace metadata` ([#​19122](astral-sh/uv#19122)) - Do not allow `uv venv --clear` to remove non-virtual environments ([#​19595](astral-sh/uv#19595)) ##### Bug fixes - Improve the performance of large entries in `tool.uv.conflicts` ([#​19538](astral-sh/uv#19538)) - Avoid modifying the parent process' env with `--env-file` in `uv run` ([#​19567](astral-sh/uv#19567)) - Fix script environment creation for scripts with long filenames ([#​19539](astral-sh/uv#19539)) - Fix transitive Git archive dependencies in lockfiles ([#​19589](astral-sh/uv#19589)) - Preserve Git repository URLs in direct URL metadata ([#​19590](astral-sh/uv#19590)) - Support redirects in `--check-url` ([#​19594](astral-sh/uv#19594)) - Accept case-insensitive HTML tags in `--find-links` parsing ([#​19537](astral-sh/uv#19537)) - Reject duplicate script metadata blocks ([#​19544](astral-sh/uv#19544)) - Ban names like "python3" as script entry points ([#​19535](astral-sh/uv#19535), [#​19536](astral-sh/uv#19536)) - Validate Git LFS artifacts for Git archives ([#​19592](astral-sh/uv#19592)) - Use a relative path when creating symlinks in cache to improve relocatability ([#​19033](astral-sh/uv#19033)) ##### Documentation - Fix malformed positional anchors in the CLI reference ([#​19575](astral-sh/uv#19575)) ### [`v0.11.16`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01116) [Compare Source](astral-sh/uv@0.11.15...0.11.16) Released on 2026-05-21. ##### Enhancements - Add support for direct archive dependencies in Git ([#​10072](astral-sh/uv#10072)) - Adjust hint rendering ([#​18090](astral-sh/uv#18090)) ##### Preview features - uv audit: specialize malformed OSV error ([#​19515](astral-sh/uv#19515)) - Reject locked malware installations ([#​18936](astral-sh/uv#18936)) ##### Configuration - Allow disabling reading the system config with `UV_NO_SYSTEM_CONFIG` ([#​19476](astral-sh/uv#19476)) ##### Bug fixes - Allow environment variables that take a list to be empty ([#​19503](astral-sh/uv#19503)) - Ensure that incompatible wheel hints do not leak secrets ([#​19504](astral-sh/uv#19504)) - Reject unsafe entry points in `uv-build` ([#​19495](astral-sh/uv#19495)) - Restrict delimiters in entry point parsing ([#​19471](astral-sh/uv#19471)) - uv-netrc: fix multi-word no-space comment lines causing parse errors ([#​19494](astral-sh/uv#19494)) ##### Documentation - Document and test relative exclude-newer support for uv pip ([#​19475](astral-sh/uv#19475)) ### [`v0.11.15`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01115) [Compare Source](astral-sh/uv@0.11.14...0.11.15) Released on 2026-05-18. ##### Security - Fix a TAR parser differential, see [GHSA-3cv2-h65g-fgmm](GHSA-3cv2-h65g-fgmm) ([#​19463](astral-sh/uv#19463)) - Enforce that entry points cannot escape in the scripts directory, see [GHSA-4gg8-gxpx-9rph](GHSA-4gg8-gxpx-9rph) ([#​19464](astral-sh/uv#19464)) ##### Enhancements - Add TOML v1.1 -> v1.0 backwards compatibility for source distributions ([#​18741](astral-sh/uv#18741)) - Add support for Azure request signing ([#​19421](astral-sh/uv#19421)) - Apply stricter validation to all wheel filename segments ([#​19364](astral-sh/uv#19364)) - Reject empty strings as an invalid package name ([#​19435](astral-sh/uv#19435)) - Use structured errors for signing authentication failures ([#​19422](astral-sh/uv#19422)) ##### Preview - uv audit: Add JSON output ([#​19305](astral-sh/uv#19305)) ##### Configuration - Respect `required-environments` in `uv pip compile` ([#​19378](astral-sh/uv#19378)) ##### Performance - Avoid parsing JSON manifest when local Python is available ([#​19398](astral-sh/uv#19398)) - Avoid walking nested directories in linker conflict registration ([#​19382](astral-sh/uv#19382)) - Optimize async wheel ZIP writing ([#​19383](astral-sh/uv#19383)) - Fix dead "already trimmed" fast-path in `Version::only_release_trimmed` ([#​19425](astral-sh/uv#19425)) ##### Bug fixes - Apply workspace-member `[tool.uv.sources]` credentials under `uv sync --frozen` ([#​19423](astral-sh/uv#19423)) - Skip empty directories in uv build outputs ([#​19437](astral-sh/uv#19437)) - Fix Git submodule handling when using relative paths ([#​12156](astral-sh/uv#12156)) - Fix line number reporting in netrc parsing ([#​19452](astral-sh/uv#19452)) ##### Documentation - Move Bazel auth helper setup into integration guide ([#​19392](astral-sh/uv#19392)) ### [`v0.11.14`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01114) [Compare Source](astral-sh/uv@0.11.13...0.11.14) Released on 2026-05-12. ##### Enhancements - Add Astral mirror URL override ([#​19206](astral-sh/uv#19206)) - Ignore `top_level.txt` entries in uninstall that are not valid Python identifiers ([#​19340](astral-sh/uv#19340)) ##### Bug fixes - Avoid applying `.env` files in parent process ([#​19343](astral-sh/uv#19343)) - Filter ANSI codes in logging output ([#​19311](astral-sh/uv#19311)) - Fix `uv tree` showing extra-conditional deps for packages required without extras ([#​19332](astral-sh/uv#19332)) - Respect build options (e.g., `--no-build`) during lock validation ([#​19366](astral-sh/uv#19366)) ### [`v0.11.13`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01113) [Compare Source](astral-sh/uv@0.11.12...0.11.13) Released on 2026-05-10. ##### Bug fixes - Include data files in editable builds ([#​19312](astral-sh/uv#19312)) - Respect `--require-hashes` when installing from `pylock.toml` files ([#​19334](astral-sh/uv#19334)) ##### Python ##### Python - Add CPython 3.14.5 ### [`v0.11.12`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01112) [Compare Source](astral-sh/uv@0.11.11...0.11.12) Released on 2026-05-08. ##### Python - Add CPython 3.15.0b1 ##### Enhancements - Add `--no-editable` support to `uv pip install` ([#​19306](astral-sh/uv#19306)) - Require git refs in URLs to be percent-encoded ([#​19320](astral-sh/uv#19320)) ##### Bug fixes - Respect `--no-dev` over `UV_DEV=1` ([#​19313](astral-sh/uv#19313)) - Don't suggest non-existent `--no-frozen` flag ([#​19290](astral-sh/uv#19290)) ([#​19294](astral-sh/uv#19294)) ##### Documentation - Fix bug from inconsistent workflow name in GHA-PyPI guide example ([#​19309](astral-sh/uv#19309)) ### [`v0.11.11`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01111) [Compare Source](astral-sh/uv@0.11.10...0.11.11) Released on 2026-05-06. ##### Bug fixes - Accept legacy ID format from pre-0.11.9 cache entries ([#​19301](astral-sh/uv#19301)) ### [`v0.11.10`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01110) [Compare Source](astral-sh/uv@0.11.9...0.11.10) Released on 2026-05-05. ##### Bug fixes - Allow pre-release Python requests with non-zero patch versions ([#​19286](astral-sh/uv#19286)) ### [`v0.11.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0119) [Compare Source](astral-sh/uv@0.11.8...0.11.9) Released on 2026-05-04. This release includes a special release candidate for the next Python 3.14 patch release. Python 3.14 included a new garbage collection implementation, which reduced pause times but caused significant unexpected memory pressure in production environments. In 3.14.5 and 3.15, the previous garbage collection implementation will be restored. We would greatly appreciate if you tested the 3.14.5rc1 version included in this release. The stable version is expected to be released soon and any feedback on potential issues would be helpful to the Python development team. For more context, see the [announcement](https://discuss.python.org/t/reverting-the-incremental-gc-in-python-3-14-and-3-15/107014), [issue](python/cpython#148726), and [pull request](python/cpython#148720). Issues with the new release can be reported in the uv or CPython issue trackers. ##### Python - Upgrade PyPy to v7.3.22 - Add CPython 3.14.5rc1 - On macOS, CPython statically links `libpython` to match Linux ##### Enhancements - Omit compatible release desugaring for pre-release hints ([#​19267](astral-sh/uv#19267)) - Fix file locks on Android ([#​18323](astral-sh/uv#18323)) ##### Preview - `uv audit` add reporting for adverse project statuses ([#​19128](astral-sh/uv#19128)) ##### Bug fixes - Discover versioned Python executables when `requires-python` pins a version ([#​18700](astral-sh/uv#18700)) - Fix URL prefix matching to require path boundaries ([#​19154](astral-sh/uv#19154)) - Fix transitive Git path dependencies in lockfiles ([#​19269](astral-sh/uv#19269)) - Handle incorrect unlock error in `LockedFile::drop` on Wine ([#​19229](astral-sh/uv#19229)) - Prevent uninstalling site-packages for empty `top_level.txt` in `.egg-info` ([#​19114](astral-sh/uv#19114)) - Use symlinks instead of junctions on Wine ([#​19213](astral-sh/uv#19213)) - Fix floating-point environment handling on ARMv7 ([#​19157](astral-sh/uv#19157)) - Redact credentials from remote requirements URL in offline errors ([#​19216](astral-sh/uv#19216)) - Windows tramplolines no longer set `PYTHONHOME` and only set `__PYVENV_LAUNCHER__` for virtual environments ([#​19199](astral-sh/uv#19199)) ##### Documentation - Mark `--native-tls` and `UV_NATIVE_TLS` as deprecated ([#​18705](astral-sh/uv#18705)) - Re-add `pytorch-triton-rocm` to PyTorch ROCm docs ([#​19241](astral-sh/uv#19241)) - Tweak changelog entries for 0.11.8 ([#​19188](astral-sh/uv#19188)) - Add 'Exporting lockfiles' to the Concepts->Projects index ([#​19209](astral-sh/uv#19209)) - Clarify that `uv init` creates git files / folders in the projects guide ([#​19183](astral-sh/uv#19183)) ### [`v0.11.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0118) [Compare Source](astral-sh/uv@0.11.7...0.11.8) Released on 2026-04-27. ##### Enhancements - Add `--python-downloads-json-url` to `python pin` ([#​19092](astral-sh/uv#19092)) - Fetch uv from Astral mirror during self-update ([#​18682](astral-sh/uv#18682)) - Support `pip uninstall -y` ([#​19082](astral-sh/uv#19082)) - Allow `exclude-newer` to be missing from the lockfile when `exclude-newer-span` is present ([#​19024](astral-sh/uv#19024)) - Only show the version number in `uv self version --short` ([#​19019](astral-sh/uv#19019)) - Silence warnings on empty `SSL_CERT_DIR` directory ([#​19018](astral-sh/uv#19018)) - Use a sentinel timestamp for relative `exclude-newer` and `exclude-newer-package` values in lockfiles ([#​19022](astral-sh/uv#19022), [#​19101](astral-sh/uv#19101)) ##### Configuration - Add `UV_PYTHON_NO_REGISTRY` ([#​19035](astral-sh/uv#19035)) - Add an environment variable for `UV_NO_PROJECT` ([#​19052](astral-sh/uv#19052)) - Expose `UV_PYTHON_SEARCH_PATH` for Python discovery `PATH` overrides ([#​19034](astral-sh/uv#19034)) ##### Bug fixes - Add `rust-toolchain.toml` to uv-build sdist ([#​19131](astral-sh/uv#19131)) - Ensure uv invocations of git do not inherit repository location environment variables ([#​19088](astral-sh/uv#19088)) - Redact pre-signed upload URLs in verbose output ([#​19146](astral-sh/uv#19146)) - Handle transitive URL dependencies in PEP 517 build requirements ([#​19076](astral-sh/uv#19076), [#​19086](astral-sh/uv#19086)) - Support `uv lock` on a `pyproject.toml` that only contains dependency-groups ([#​19087](astral-sh/uv#19087)) - Disable transparent Python upgrades in projects when a patch version is requested via `.python-version` ([#​19102](astral-sh/uv#19102)) - Fix Python variant tagging in the Windows registry ([#​19012](astral-sh/uv#19012)) - Ban external symlinks in `.tar.zst` wheels ([#​19144](astral-sh/uv#19144)) ##### Distributions - Remove deprecated license classifiers from uv-build and add Python 3.14 classifier ([#​19130](astral-sh/uv#19130)) ##### Documentation - Bump astral-sh/setup-uv version in docs ([#​19030](astral-sh/uv#19030)) - Update PyTorch documentation for PyTorch 2.11 ([#​19095](astral-sh/uv#19095)) ### [`v0.11.7`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0117) [Compare Source](astral-sh/uv@0.11.6...0.11.7) Released on 2026-04-15. ##### Python - Upgrade CPython build to [`2026041`](astral-sh/uv@20260414) including an OpenSSL security upgrade ([#​19004](astral-sh/uv#19004)) ##### Enhancements - Elevate configuration errors to `required-version` mismatches ([#​18977](astral-sh/uv#18977)) - Further improve TLS certificate validation messages ([#​18933](astral-sh/uv#18933)) - Improve `--exclude-newer` hints ([#​18952](astral-sh/uv#18952)) ##### Preview features - Fix `--script` handling in `uv audit` ([#​18970](astral-sh/uv#18970)) - Fix traversal of extras in `uv audit` ([#​18970](astral-sh/uv#18970)) ##### Bug fixes - De-quote `workspace metadata` in linehaul data ([#​18966](astral-sh/uv#18966)) - Avoid installing tool workspace member dependencies as editable ([#​18891](astral-sh/uv#18891)) - Emit JSON report for `uv sync --check` failures ([#​18976](astral-sh/uv#18976)) - Filter and warn on invalid TLS certificates ([#​18951](astral-sh/uv#18951)) - Fix equality comparisons for version specifiers with `~=` operators ([#​18960](astral-sh/uv#18960)) - Fix stale Python upgrade preview feature check in project environment construction ([#​18961](astral-sh/uv#18961)) - Improve Windows path normalization ([#​18945](astral-sh/uv#18945)) ### [`v0.11.6`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0116) [Compare Source](astral-sh/uv@0.11.5...0.11.6) Released on 2026-04-09. This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See [GHSA-pjjw-68hj-v9mw](GHSA-pjjw-68hj-v9mw) for details. ##### Bug fixes - Do not remove files outside the venv on uninstall ([#​18942](astral-sh/uv#18942)) - Validate and heal wheel `RECORD` during installation ([#​18943](astral-sh/uv#18943)) - Avoid `uv cache clean` errors due to Win32 path normalization ([#​18856](astral-sh/uv#18856)) ### [`v0.11.5`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0115) [Compare Source](astral-sh/uv@0.11.4...0.11.5) Released on 2026-04-08. ##### Python - Add CPython 3.13.13, 3.14.4, and 3.15.0a8 ([#​18908](astral-sh/uv#18908)) ##### Enhancements - Fix `build_system.requires` error message ([#​18911](astral-sh/uv#18911)) - Remove trailing path separators in path normalization ([#​18915](astral-sh/uv#18915)) - Improve error messages for unsupported or invalid TLS certificates ([#​18924](astral-sh/uv#18924)) ##### Preview features - Add `exclude-newer` to `[[tool.uv.index]]` ([#​18839](astral-sh/uv#18839)) - `uv audit`: add context/warnings for ignored vulnerabilities ([#​18905](astral-sh/uv#18905)) ##### Bug fixes - Normalize persisted fork markers before lock equality checks ([#​18612](astral-sh/uv#18612)) - Clear junction properly when uninstalling Python versions on Windows ([#​18815](astral-sh/uv#18815)) - Report error cleanly instead of panicking on TLS certificate error ([#​18904](astral-sh/uv#18904)) ##### Documentation - Remove the legacy `PIP_COMPATIBILITY.md` redirect file ([#​18928](astral-sh/uv#18928)) - Fix `uv init example-bare --bare` examples ([#​18822](astral-sh/uv#18822), [#​18925](astral-sh/uv#18925)) ### [`v0.11.4`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0114) [Compare Source](astral-sh/uv@0.11.3...0.11.4) Released on 2026-04-07. ##### Enhancements - Add support for `--upgrade-group` ([#​18266](astral-sh/uv#18266)) - Merge repeated archive URL hashes by version ID ([#​18841](astral-sh/uv#18841)) - Require all direct URL hash algorithms to match ([#​18842](astral-sh/uv#18842)) ##### Bug fixes - Avoid panics in environment finding via cycle detection ([#​18828](astral-sh/uv#18828)) - Enforce direct URL hashes for `pyproject.toml` dependencies ([#​18786](astral-sh/uv#18786)) - Error on `--locked` and `--frozen` when script lockfile is missing ([#​18832](astral-sh/uv#18832)) - Fix `uv export` extra resolution for workspace member and conflicting extras ([#​18888](astral-sh/uv#18888)) - Include conflicts defined in virtual workspace root ([#​18886](astral-sh/uv#18886)) - Recompute relative `exclude-newer` values during `uv tree --outdated` ([#​18899](astral-sh/uv#18899)) - Respect `--exclude-newer` in `uv tool list --outdated` ([#​18861](astral-sh/uv#18861)) - Sort by comparator to break specifier ties ([#​18850](astral-sh/uv#18850)) - Store relative timestamps in tool receipts ([#​18901](astral-sh/uv#18901)) - Track newly-activated extras when determining conflicts ([#​18852](astral-sh/uv#18852)) - Patch `Cargo.lock` in `uv-build` source distributions ([#​18831](astral-sh/uv#18831)) ##### Documentation - Clarify that `--exclude-newer` compares artifact upload times ([#​18830](astral-sh/uv#18830)) ### [`v0.11.3`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0113) [Compare Source](astral-sh/uv@0.11.2...0.11.3) Released on 2026-04-01. ##### Enhancements - Add progress bar for hashing phase in uv publish ([#​18752](astral-sh/uv#18752)) - Add support for ROCm 7.2 ([#​18730](astral-sh/uv#18730)) - Emit abi3t tags for every abi3 version ([#​18777](astral-sh/uv#18777)) - Expand `uv workspace metadata` with dependency information from the lock ([#​18356](astral-sh/uv#18356)) - Implement support for PEP 803 ([#​18767](astral-sh/uv#18767)) - Pretty-print platform in built wheel errors ([#​18738](astral-sh/uv#18738)) - Publish installers to `/installers/uv/latest` on the mirror ([#​18725](astral-sh/uv#18725)) - Show free-threaded Python in built-wheel errors ([#​18740](astral-sh/uv#18740)) ##### Preview features - Add `--ignore` and `--ignore-until-fixed` to `uv audit` ([#​18737](astral-sh/uv#18737)) ##### Bug fixes - Bump simple API cache ([#​18797](astral-sh/uv#18797)) - Don't drop `blake2b` hashes ([#​18794](astral-sh/uv#18794)) - Handle broken range request implementations ([#​18780](astral-sh/uv#18780)) - Remove `powerpc64-unknown-linux-gnu` from release build targets ([#​18800](astral-sh/uv#18800)) - Respect dependency metadata overrides in `uv pip check` ([#​18742](astral-sh/uv#18742)) - Support debug CPython ABI tags in environment compatibility ([#​18739](astral-sh/uv#18739)) ##### Documentation - Document `false` opt-out for `exclude-newer-package` ([#​18768](astral-sh/uv#18768), [#​18803](astral-sh/uv#18803)) ### [`v0.11.2`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0112) [Compare Source](astral-sh/uv@0.11.1...0.11.2) Released on 2026-03-26. ##### Enhancements - Add a dedicated Windows PE editing error ([#​18710](astral-sh/uv#18710)) - Make `uv self update` fetch the manifest from the mirror first ([#​18679](astral-sh/uv#18679)) - Use uv reqwest client for self update ([#​17982](astral-sh/uv#17982)) - Show `uv self update` success and failure messages with `--quiet` ([#​18645](astral-sh/uv#18645)) ##### Preview features - Evaluate extras and groups when determining auditable packages ([#​18511](astral-sh/uv#18511)) ##### Bug fixes - Skip redundant project configuration parsing for `uv run` ([#​17890](astral-sh/uv#17890)) ### [`v0.11.1`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01116) [Compare Source](astral-sh/uv@0.11.0...0.11.1) Released on 2026-05-21. ##### Enhancements - Add support for direct archive dependencies in Git ([#​10072](astral-sh/uv#10072)) - Adjust hint rendering ([#​18090](astral-sh/uv#18090)) ##### Preview features - uv audit: specialize malformed OSV error ([#​19515](astral-sh/uv#19515)) - Reject locked malware installations ([#​18936](astral-sh/uv#18936)) ##### Configuration - Allow disabling reading the system config with `UV_NO_SYSTEM_CONFIG` ([#​19476](astral-sh/uv#19476)) ##### Bug fixes - Allow environment variables that take a list to be empty ([#​19503](astral-sh/uv#19503)) - Ensure that incompatible wheel hints do not leak secrets ([#​19504](astral-sh/uv#19504)) - Reject unsafe entry points in `uv-build` ([#​19495](astral-sh/uv#19495)) - Restrict delimiters in entry point parsing ([#​19471](astral-sh/uv#19471)) - uv-netrc: fix multi-word no-space comment lines causing parse errors ([#​19494](astral-sh/uv#19494)) ##### Documentation - Document and test relative exclude-newer support for uv pip ([#​19475](astral-sh/uv#19475)) ### [`v0.11.0`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0110) [Compare Source](astral-sh/uv@0.10.12...0.11.0) Released on 2026-03-23. ##### Breaking changes This release includes changes to the networking stack used by uv. While we think that breakage will be rare, it is possible that these changes will result in the rejection of certificates previously trusted by uv so we have marked the change as breaking out of an abundance of caution. The changes are largely driven by the upgrade of reqwest, which powers uv's HTTP clients, to [v0.13](https://seanmonstar.com/blog/reqwest-v013-rustls-default/) which included some breaking changes to TLS certificate verification. The following changes are included: - [`rustls-platform-verifier`](https://github.com/rustls/rustls-platform-verifier) is used instead of [`rustls-native-certs`](https://github.com/rustls/rustls-native-certs) and [`webpki`](https://github.com/rustls/webpki) for certificate verification **This change should have no effect unless you are using the `native-tls` option to enable reading system certificates.** `rustls-platform-verifier` delegates to the system for certificate validation (e.g., `Security.framework` on macOS) instead of eagerly loading certificates from the system and verifying them via `webpki`. The effects of this change will vary based on the operating system. In general, uv's certificate validation should now be more consistent with browsers and other native applications. However, this is the most likely cause of breaking changes in this release. Some previously failing certificate chains may succeed, and some previously accepted certificate chains may fail. In either case, we expect the validation to be more correct and welcome reports of regressions. In particular, because more responsibility for validating the certificate is transferred to your system's security library, some features like [CA constraints](https://support.apple.com/en-us/103255) or [revocation of certificates](https://en.wikipedia.org/wiki/Certificate_revocation) via OCSP and CRLs may now be used. This change should improve performance when using system certificate on macOS, as uv no longer needs to load all certificates from the keychain at startup. - [`aws-lc`](https://github.com/aws/aws-lc) is used instead of `ring` for a cryptography backend There should not be breaking changes from this change. We expect this to expand support for certificate signature algorithms. - `--native-tls` is deprecated in favor of a new `--system-certs` flag The `--native-tls` flag is still usable and has identical behavior to `--system-certs.` This change was made to reduce confusion about the TLS implementation uv uses. uv always uses `rustls` not `native-tls`. - Building uv on x86-64 and i686 Windows requires NASM NASM is required by `aws-lc`. If not found on the system, a prebuilt blob provided by `aws-lc-sys` will be used. If you are not building uv from source, this change has no effect. See the [CONTRIBUTING](https://github.com/astral-sh/uv/blob/b6854d77bfd0cb78157fecaf8b30126c6f16bc11/CONTRIBUTING.md#setup) guide for details. - Empty `SSL_CERT_FILE` values are ignored (for consistency with `SSL_CERT_DIR`) See [#​18550](astral-sh/uv#18550) for details. ##### Python - Enable frame pointers for improved profiling on Linux x86-64 and aarch64 See the [python-build-standalone release notes](https://github.com/astral-sh/python-build-standalone/releases/20260320) for details. ##### Enhancements - Treat 'Dynamic' values as case-insensitive ([#​18669](astral-sh/uv#18669)) - Use a dedicated error for invalid cache control headers ([#​18657](astral-sh/uv#18657)) - Enable checksum verification in the generated installer script ([#​18625](astral-sh/uv#18625)) ##### Preview features - Add `--service-format` and `--service-url` to `uv audit` ([#​18571](astral-sh/uv#18571)) ##### Performance - Avoid holding flat index lock across indexes ([#​18659](astral-sh/uv#18659)) ##### Bug fixes - Find the dynamic linker on the file system when sniffing binaries fails ([#​18457](astral-sh/uv#18457)) - Fix export of conflicting workspace members with dependencies ([#​18666](astral-sh/uv#18666)) - Respect installed settings in `uv tool list --outdated` ([#​18586](astral-sh/uv#18586)) - Treat paths originating as PEP 508 URLs which contain expanded variables as relative ([#​18680](astral-sh/uv#18680)) - Fix `uv export` for workspace member packages with conflicts ([#​18635](astral-sh/uv#18635)) - Continue to alternative authentication providers when the pyx store has no token ([#​18425](astral-sh/uv#18425)) - Use redacted URLs for log messages in cached client ([#​18599](astral-sh/uv#18599)) ##### Documentation - Add details on Linux versions to the platform policy ([#​18574](astral-sh/uv#18574)) - Clarify `FLASH_ATTENTION_SKIP_CUDA_BUILD` guidance for `flash-attn` installs ([#​18473](astral-sh/uv#18473)) - Split the dependency bots page into two separate pages ([#​18597](astral-sh/uv#18597)) - Split the alternative indexes page into separate pages ([#​18607](astral-sh/uv#18607)) ### [`v0.10.12`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01012) [Compare Source](astral-sh/uv@0.10.11...0.10.12) Released on 2026-03-19. ##### Python - Add pypy 3.11.15 ([#​18468](astral-sh/uv#18468)) - Add support for using Python 3.6 interpreters ([#​18454](astral-sh/uv#18454)) ##### Enhancements - Include uv's target triple in version report ([#​18520](astral-sh/uv#18520)) - Allow comma separated values in `--no-emit-package` ([#​18565](astral-sh/uv#18565)) ##### Preview features - Show `uv audit` in the CLI help ([#​18540](astral-sh/uv#18540)) ##### Bug fixes - Improve reporting of managed interpreter symlinks in `uv python list` ([#​18459](astral-sh/uv#18459)) - Preserve end-of-line comments on previous entries when removing dependencies ([#​18557](astral-sh/uv#18557)) - Treat abi3 wheel Python version as a lower bound ([#​18536](astral-sh/uv#18536)) - Detect hard-float support on aarch64 kernels running armv7 userspace ([#​18530](astral-sh/uv#18530)) ##### Documentation - Add Python 3.15 to supported versions ([#​18552](astral-sh/uv#18552)) - Adjust the PyPy note ([#​18548](astral-sh/uv#18548)) - Move Pyodide to Tier 2 in the Python support policy ([#​18561](astral-sh/uv#18561)) - Move Rust and Python version support out of the Platform support policy ([#​18535](astral-sh/uv#18535)) - Update Docker guide with changes from `uv-docker-example` ([#​18558](astral-sh/uv#18558)) - Update the Python version policy ([#​18559](astral-sh/uv#18559)) ### [`v0.10.11`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01011) [Compare Source](astral-sh/uv@0.10.10...0.10.11) Released on 2026-03-16. ##### Enhancements - Fetch Ruff release metadata from an Astral mirror ([#​18358](astral-sh/uv#18358)) - Use PEP 639 license metadata for uv itself ([#​16477](astral-sh/uv#16477)) ##### Performance - Improve distribution id performance ([#​18486](astral-sh/uv#18486)) ##### Bug fixes - Allow `--project` to refer to a `pyproject.toml` directly and reduce to a warning on other files ([#​18513](astral-sh/uv#18513)) - Disable `SYSTEM_VERSION_COMPAT` when querying interpreters on macOS ([#​18452](astral-sh/uv#18452)) - Enforce available distributions for supported environments ([#​18451](astral-sh/uv#18451)) - Fix `uv sync --active` recreating active environments when `UV_PYTHON_INSTALL_DIR` is relative ([#​18398](astral-sh/uv#18398)) ##### Documentation - Add missing `-o requirements.txt` in `uv pip compile` example ([#​12308](astral-sh/uv#12308)) - Link to organization security policy ([#​18449](astral-sh/uv#18449)) - Link to the AI policy in the contributing guide ([#​18448](astral-sh/uv#18448)) ### [`v0.10.10`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01010) [Compare Source](astral-sh/uv@0.10.9...0.10.10) Released on 2026-03-13. ##### Python - Add CPython 3.15.0a7 ([#​18403](astral-sh/uv#18403)) ##### Enhancements - Add `--outdated` flag to `uv tool list` ([#​18318](astral-sh/uv#18318)) - Add riscv64 musl target to build-release-binaries workflow ([#​18228](astral-sh/uv#18228)) - Fetch Ruff from an Astral mirror ([#​18286](astral-sh/uv#18286)) - Improve error handling for platform detection in Python downloads ([#​18453](astral-sh/uv#18453)) - Warn if `--project` directory does not exist ([#​17714](astral-sh/uv#17714)) - Warn when workspace member scripts are skipped due to missing build system ([#​18389](astral-sh/uv#18389)) - Update build backend versions used in `uv init` ([#​18417](astral-sh/uv#18417)) - Log explicit config file path in verbose output ([#​18353](astral-sh/uv#18353)) - Make `uv cache clear` an alias of `uv cache clean` ([#​18420](astral-sh/uv#18420)) - Reject invalid classifiers, warn on license classifiers in `uv_build` ([#​18419](astral-sh/uv#18419)) ##### Preview features - Add links to `uv audit` output ([#​18392](astral-sh/uv#18392)) - Output/report formatting for `uv audit` ([#​18193](astral-sh/uv#18193)) - Switch to batched OSV queries for `uv audit` ([#​18394](astral-sh/uv#18394)) ##### Bug fixes - Avoid sharing version metadata across indexes ([#​18373](astral-sh/uv#18373)) - Bump zlib-rs to 0.6.2 to fix panic on decompression of large wheels on Windows ([#​18362](astral-sh/uv#18362)) - Filter out unsupported environment wheels ([#​18445](astral-sh/uv#18445)) - Preserve absolute/relative paths in lockfiles ([#​18176](astral-sh/uv#18176)) - Recreate Python environments under `uv tool install --force` ([#​18399](astral-sh/uv#18399)) - Respect timestamp and other cache keys in cached environments ([#​18396](astral-sh/uv#18396)) - Simplify selected extra markers in `uv export` ([#​18433](astral-sh/uv#18433)) - Send pyx mint-token requests with a proper `Content-Type` ([#​18334](astral-sh/uv#18334)) - Fix Windows operating system and version reporting ([#​18383](astral-sh/uv#18383)) ##### Documentation - Update the platform support policy with a tier 3 section including freebsd and 32-bit windows ([#​18345](https://github.com/astral-sh/uv/pull/18345)) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItcmVsZWFzZSIsInR5cGUvbWlub3IiXX0=--> Reviewed-on: https://forgejo.hayden.moe/hayden/phoebe/pulls/34
hbjydev
pushed a commit
to hbjydev/phoebe
that referenced
this pull request
Jun 10, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [uv](https://github.com/astral-sh/uv) | minor | `0.10.9` → `0.11.19` | --- >⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/28) for more information. --- ### Release Notes <details> <summary>astral-sh/uv (uv)</summary> ### [`v0.11.19`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01119) [Compare Source](astral-sh/uv@0.11.18...0.11.19) Released on 2026-06-03. ##### Python - Add CPython 3.15.0b2 ([#​19531](astral-sh/uv#19531)) ##### Enhancements - Always compute SHA256 for remote distributions ([#​19662](astral-sh/uv#19662)) - Add PyEmscripten platform (PEP 783) ([#​19629](astral-sh/uv#19629)) - Add Pyodide 2025 target triple ([#​19653](astral-sh/uv#19653)) ##### Preview features - Make preview features for commands have names that aren't ambiguous with the command ([#​19645](astral-sh/uv#19645)) - Respect `--isolated` in `uv check` ([#​19666](astral-sh/uv#19666)) ##### Bug fixes - Continue tool uninstall after dangling receipts ([#​19623](astral-sh/uv#19623)) - Skip Unix-specific installation steps when cross-installing Windows Python distributions ([#​19424](astral-sh/uv#19424)) ### [`v0.11.18`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01118) [Compare Source](astral-sh/uv@0.11.17...0.11.18) Released on 2026-06-01. ##### Performance - Fix performance regression in unzip of local wheels ([#​19637](astral-sh/uv#19637)) ##### Preview - Add `uv check` to run `ty` from uv ([#​19605](astral-sh/uv#19605)) ##### Bug fixes - Update activation scripts with upstream fixes ([#​19628](astral-sh/uv#19628)) ##### Other changes - Bump MSRV to 1.94 ([#​19600](astral-sh/uv#19600)) ### [`v0.11.17`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01117) [Compare Source](astral-sh/uv@0.11.16...0.11.17) Released on 2026-05-28. ##### Enhancements - Add a diagnostic for `uv add` with standard library modules ([#​19572](astral-sh/uv#19572)) - Expose `uv workspace` and its `list` subcommand in help output ([#​19533](astral-sh/uv#19533)) - Improve the "403 forbidden" hint to suggest `ignore-error-codes` when applicable ([#​19521](astral-sh/uv#19521)) - Skip direct URL lock freshness checks while offline ([#​19596](astral-sh/uv#19596)) - Add `import-names` and `import-namespaces` support to `uv-build` ([PEP 794](https://peps.python.org/pep-0794/)) ([#​19380](astral-sh/uv#19380)) - Add a `--no-editable-package` flag to various commands ([#​19584](astral-sh/uv#19584)) - Infer Python version requests from source trees in `uv tool` invocations ([#​19577](astral-sh/uv#19577)) ##### Preview features - Add module owners to `uv workspace metadata` ([#​19122](astral-sh/uv#19122)) - Do not allow `uv venv --clear` to remove non-virtual environments ([#​19595](astral-sh/uv#19595)) ##### Bug fixes - Improve the performance of large entries in `tool.uv.conflicts` ([#​19538](astral-sh/uv#19538)) - Avoid modifying the parent process' env with `--env-file` in `uv run` ([#​19567](astral-sh/uv#19567)) - Fix script environment creation for scripts with long filenames ([#​19539](astral-sh/uv#19539)) - Fix transitive Git archive dependencies in lockfiles ([#​19589](astral-sh/uv#19589)) - Preserve Git repository URLs in direct URL metadata ([#​19590](astral-sh/uv#19590)) - Support redirects in `--check-url` ([#​19594](astral-sh/uv#19594)) - Accept case-insensitive HTML tags in `--find-links` parsing ([#​19537](astral-sh/uv#19537)) - Reject duplicate script metadata blocks ([#​19544](astral-sh/uv#19544)) - Ban names like "python3" as script entry points ([#​19535](astral-sh/uv#19535), [#​19536](astral-sh/uv#19536)) - Validate Git LFS artifacts for Git archives ([#​19592](astral-sh/uv#19592)) - Use a relative path when creating symlinks in cache to improve relocatability ([#​19033](astral-sh/uv#19033)) ##### Documentation - Fix malformed positional anchors in the CLI reference ([#​19575](astral-sh/uv#19575)) ### [`v0.11.16`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01116) [Compare Source](astral-sh/uv@0.11.15...0.11.16) Released on 2026-05-21. ##### Enhancements - Add support for direct archive dependencies in Git ([#​10072](astral-sh/uv#10072)) - Adjust hint rendering ([#​18090](astral-sh/uv#18090)) ##### Preview features - uv audit: specialize malformed OSV error ([#​19515](astral-sh/uv#19515)) - Reject locked malware installations ([#​18936](astral-sh/uv#18936)) ##### Configuration - Allow disabling reading the system config with `UV_NO_SYSTEM_CONFIG` ([#​19476](astral-sh/uv#19476)) ##### Bug fixes - Allow environment variables that take a list to be empty ([#​19503](astral-sh/uv#19503)) - Ensure that incompatible wheel hints do not leak secrets ([#​19504](astral-sh/uv#19504)) - Reject unsafe entry points in `uv-build` ([#​19495](astral-sh/uv#19495)) - Restrict delimiters in entry point parsing ([#​19471](astral-sh/uv#19471)) - uv-netrc: fix multi-word no-space comment lines causing parse errors ([#​19494](astral-sh/uv#19494)) ##### Documentation - Document and test relative exclude-newer support for uv pip ([#​19475](astral-sh/uv#19475)) ### [`v0.11.15`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01115) [Compare Source](astral-sh/uv@0.11.14...0.11.15) Released on 2026-05-18. ##### Security - Fix a TAR parser differential, see [GHSA-3cv2-h65g-fgmm](GHSA-3cv2-h65g-fgmm) ([#​19463](astral-sh/uv#19463)) - Enforce that entry points cannot escape in the scripts directory, see [GHSA-4gg8-gxpx-9rph](GHSA-4gg8-gxpx-9rph) ([#​19464](astral-sh/uv#19464)) ##### Enhancements - Add TOML v1.1 -> v1.0 backwards compatibility for source distributions ([#​18741](astral-sh/uv#18741)) - Add support for Azure request signing ([#​19421](astral-sh/uv#19421)) - Apply stricter validation to all wheel filename segments ([#​19364](astral-sh/uv#19364)) - Reject empty strings as an invalid package name ([#​19435](astral-sh/uv#19435)) - Use structured errors for signing authentication failures ([#​19422](astral-sh/uv#19422)) ##### Preview - uv audit: Add JSON output ([#​19305](astral-sh/uv#19305)) ##### Configuration - Respect `required-environments` in `uv pip compile` ([#​19378](astral-sh/uv#19378)) ##### Performance - Avoid parsing JSON manifest when local Python is available ([#​19398](astral-sh/uv#19398)) - Avoid walking nested directories in linker conflict registration ([#​19382](astral-sh/uv#19382)) - Optimize async wheel ZIP writing ([#​19383](astral-sh/uv#19383)) - Fix dead "already trimmed" fast-path in `Version::only_release_trimmed` ([#​19425](astral-sh/uv#19425)) ##### Bug fixes - Apply workspace-member `[tool.uv.sources]` credentials under `uv sync --frozen` ([#​19423](astral-sh/uv#19423)) - Skip empty directories in uv build outputs ([#​19437](astral-sh/uv#19437)) - Fix Git submodule handling when using relative paths ([#​12156](astral-sh/uv#12156)) - Fix line number reporting in netrc parsing ([#​19452](astral-sh/uv#19452)) ##### Documentation - Move Bazel auth helper setup into integration guide ([#​19392](astral-sh/uv#19392)) ### [`v0.11.14`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01114) [Compare Source](astral-sh/uv@0.11.13...0.11.14) Released on 2026-05-12. ##### Enhancements - Add Astral mirror URL override ([#​19206](astral-sh/uv#19206)) - Ignore `top_level.txt` entries in uninstall that are not valid Python identifiers ([#​19340](astral-sh/uv#19340)) ##### Bug fixes - Avoid applying `.env` files in parent process ([#​19343](astral-sh/uv#19343)) - Filter ANSI codes in logging output ([#​19311](astral-sh/uv#19311)) - Fix `uv tree` showing extra-conditional deps for packages required without extras ([#​19332](astral-sh/uv#19332)) - Respect build options (e.g., `--no-build`) during lock validation ([#​19366](astral-sh/uv#19366)) ### [`v0.11.13`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01113) [Compare Source](astral-sh/uv@0.11.12...0.11.13) Released on 2026-05-10. ##### Bug fixes - Include data files in editable builds ([#​19312](astral-sh/uv#19312)) - Respect `--require-hashes` when installing from `pylock.toml` files ([#​19334](astral-sh/uv#19334)) ##### Python ##### Python - Add CPython 3.14.5 ### [`v0.11.12`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01112) [Compare Source](astral-sh/uv@0.11.11...0.11.12) Released on 2026-05-08. ##### Python - Add CPython 3.15.0b1 ##### Enhancements - Add `--no-editable` support to `uv pip install` ([#​19306](astral-sh/uv#19306)) - Require git refs in URLs to be percent-encoded ([#​19320](astral-sh/uv#19320)) ##### Bug fixes - Respect `--no-dev` over `UV_DEV=1` ([#​19313](astral-sh/uv#19313)) - Don't suggest non-existent `--no-frozen` flag ([#​19290](astral-sh/uv#19290)) ([#​19294](astral-sh/uv#19294)) ##### Documentation - Fix bug from inconsistent workflow name in GHA-PyPI guide example ([#​19309](astral-sh/uv#19309)) ### [`v0.11.11`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01111) [Compare Source](astral-sh/uv@0.11.10...0.11.11) Released on 2026-05-06. ##### Bug fixes - Accept legacy ID format from pre-0.11.9 cache entries ([#​19301](astral-sh/uv#19301)) ### [`v0.11.10`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01110) [Compare Source](astral-sh/uv@0.11.9...0.11.10) Released on 2026-05-05. ##### Bug fixes - Allow pre-release Python requests with non-zero patch versions ([#​19286](astral-sh/uv#19286)) ### [`v0.11.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0119) [Compare Source](astral-sh/uv@0.11.8...0.11.9) Released on 2026-05-04. This release includes a special release candidate for the next Python 3.14 patch release. Python 3.14 included a new garbage collection implementation, which reduced pause times but caused significant unexpected memory pressure in production environments. In 3.14.5 and 3.15, the previous garbage collection implementation will be restored. We would greatly appreciate if you tested the 3.14.5rc1 version included in this release. The stable version is expected to be released soon and any feedback on potential issues would be helpful to the Python development team. For more context, see the [announcement](https://discuss.python.org/t/reverting-the-incremental-gc-in-python-3-14-and-3-15/107014), [issue](python/cpython#148726), and [pull request](python/cpython#148720). Issues with the new release can be reported in the uv or CPython issue trackers. ##### Python - Upgrade PyPy to v7.3.22 - Add CPython 3.14.5rc1 - On macOS, CPython statically links `libpython` to match Linux ##### Enhancements - Omit compatible release desugaring for pre-release hints ([#​19267](astral-sh/uv#19267)) - Fix file locks on Android ([#​18323](astral-sh/uv#18323)) ##### Preview - `uv audit` add reporting for adverse project statuses ([#​19128](astral-sh/uv#19128)) ##### Bug fixes - Discover versioned Python executables when `requires-python` pins a version ([#​18700](astral-sh/uv#18700)) - Fix URL prefix matching to require path boundaries ([#​19154](astral-sh/uv#19154)) - Fix transitive Git path dependencies in lockfiles ([#​19269](astral-sh/uv#19269)) - Handle incorrect unlock error in `LockedFile::drop` on Wine ([#​19229](astral-sh/uv#19229)) - Prevent uninstalling site-packages for empty `top_level.txt` in `.egg-info` ([#​19114](astral-sh/uv#19114)) - Use symlinks instead of junctions on Wine ([#​19213](astral-sh/uv#19213)) - Fix floating-point environment handling on ARMv7 ([#​19157](astral-sh/uv#19157)) - Redact credentials from remote requirements URL in offline errors ([#​19216](astral-sh/uv#19216)) - Windows tramplolines no longer set `PYTHONHOME` and only set `__PYVENV_LAUNCHER__` for virtual environments ([#​19199](astral-sh/uv#19199)) ##### Documentation - Mark `--native-tls` and `UV_NATIVE_TLS` as deprecated ([#​18705](astral-sh/uv#18705)) - Re-add `pytorch-triton-rocm` to PyTorch ROCm docs ([#​19241](astral-sh/uv#19241)) - Tweak changelog entries for 0.11.8 ([#​19188](astral-sh/uv#19188)) - Add 'Exporting lockfiles' to the Concepts->Projects index ([#​19209](astral-sh/uv#19209)) - Clarify that `uv init` creates git files / folders in the projects guide ([#​19183](astral-sh/uv#19183)) ### [`v0.11.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0118) [Compare Source](astral-sh/uv@0.11.7...0.11.8) Released on 2026-04-27. ##### Enhancements - Add `--python-downloads-json-url` to `python pin` ([#​19092](astral-sh/uv#19092)) - Fetch uv from Astral mirror during self-update ([#​18682](astral-sh/uv#18682)) - Support `pip uninstall -y` ([#​19082](astral-sh/uv#19082)) - Allow `exclude-newer` to be missing from the lockfile when `exclude-newer-span` is present ([#​19024](astral-sh/uv#19024)) - Only show the version number in `uv self version --short` ([#​19019](astral-sh/uv#19019)) - Silence warnings on empty `SSL_CERT_DIR` directory ([#​19018](astral-sh/uv#19018)) - Use a sentinel timestamp for relative `exclude-newer` and `exclude-newer-package` values in lockfiles ([#​19022](astral-sh/uv#19022), [#​19101](astral-sh/uv#19101)) ##### Configuration - Add `UV_PYTHON_NO_REGISTRY` ([#​19035](astral-sh/uv#19035)) - Add an environment variable for `UV_NO_PROJECT` ([#​19052](astral-sh/uv#19052)) - Expose `UV_PYTHON_SEARCH_PATH` for Python discovery `PATH` overrides ([#​19034](astral-sh/uv#19034)) ##### Bug fixes - Add `rust-toolchain.toml` to uv-build sdist ([#​19131](astral-sh/uv#19131)) - Ensure uv invocations of git do not inherit repository location environment variables ([#​19088](astral-sh/uv#19088)) - Redact pre-signed upload URLs in verbose output ([#​19146](astral-sh/uv#19146)) - Handle transitive URL dependencies in PEP 517 build requirements ([#​19076](astral-sh/uv#19076), [#​19086](astral-sh/uv#19086)) - Support `uv lock` on a `pyproject.toml` that only contains dependency-groups ([#​19087](astral-sh/uv#19087)) - Disable transparent Python upgrades in projects when a patch version is requested via `.python-version` ([#​19102](astral-sh/uv#19102)) - Fix Python variant tagging in the Windows registry ([#​19012](astral-sh/uv#19012)) - Ban external symlinks in `.tar.zst` wheels ([#​19144](astral-sh/uv#19144)) ##### Distributions - Remove deprecated license classifiers from uv-build and add Python 3.14 classifier ([#​19130](astral-sh/uv#19130)) ##### Documentation - Bump astral-sh/setup-uv version in docs ([#​19030](astral-sh/uv#19030)) - Update PyTorch documentation for PyTorch 2.11 ([#​19095](astral-sh/uv#19095)) ### [`v0.11.7`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0117) [Compare Source](astral-sh/uv@0.11.6...0.11.7) Released on 2026-04-15. ##### Python - Upgrade CPython build to [`2026041`](astral-sh/uv@20260414) including an OpenSSL security upgrade ([#​19004](astral-sh/uv#19004)) ##### Enhancements - Elevate configuration errors to `required-version` mismatches ([#​18977](astral-sh/uv#18977)) - Further improve TLS certificate validation messages ([#​18933](astral-sh/uv#18933)) - Improve `--exclude-newer` hints ([#​18952](astral-sh/uv#18952)) ##### Preview features - Fix `--script` handling in `uv audit` ([#​18970](astral-sh/uv#18970)) - Fix traversal of extras in `uv audit` ([#​18970](astral-sh/uv#18970)) ##### Bug fixes - De-quote `workspace metadata` in linehaul data ([#​18966](astral-sh/uv#18966)) - Avoid installing tool workspace member dependencies as editable ([#​18891](astral-sh/uv#18891)) - Emit JSON report for `uv sync --check` failures ([#​18976](astral-sh/uv#18976)) - Filter and warn on invalid TLS certificates ([#​18951](astral-sh/uv#18951)) - Fix equality comparisons for version specifiers with `~=` operators ([#​18960](astral-sh/uv#18960)) - Fix stale Python upgrade preview feature check in project environment construction ([#​18961](astral-sh/uv#18961)) - Improve Windows path normalization ([#​18945](astral-sh/uv#18945)) ### [`v0.11.6`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0116) [Compare Source](astral-sh/uv@0.11.5...0.11.6) Released on 2026-04-09. This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See [GHSA-pjjw-68hj-v9mw](GHSA-pjjw-68hj-v9mw) for details. ##### Bug fixes - Do not remove files outside the venv on uninstall ([#​18942](astral-sh/uv#18942)) - Validate and heal wheel `RECORD` during installation ([#​18943](astral-sh/uv#18943)) - Avoid `uv cache clean` errors due to Win32 path normalization ([#​18856](astral-sh/uv#18856)) ### [`v0.11.5`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0115) [Compare Source](astral-sh/uv@0.11.4...0.11.5) Released on 2026-04-08. ##### Python - Add CPython 3.13.13, 3.14.4, and 3.15.0a8 ([#​18908](astral-sh/uv#18908)) ##### Enhancements - Fix `build_system.requires` error message ([#​18911](astral-sh/uv#18911)) - Remove trailing path separators in path normalization ([#​18915](astral-sh/uv#18915)) - Improve error messages for unsupported or invalid TLS certificates ([#​18924](astral-sh/uv#18924)) ##### Preview features - Add `exclude-newer` to `[[tool.uv.index]]` ([#​18839](astral-sh/uv#18839)) - `uv audit`: add context/warnings for ignored vulnerabilities ([#​18905](astral-sh/uv#18905)) ##### Bug fixes - Normalize persisted fork markers before lock equality checks ([#​18612](astral-sh/uv#18612)) - Clear junction properly when uninstalling Python versions on Windows ([#​18815](astral-sh/uv#18815)) - Report error cleanly instead of panicking on TLS certificate error ([#​18904](astral-sh/uv#18904)) ##### Documentation - Remove the legacy `PIP_COMPATIBILITY.md` redirect file ([#​18928](astral-sh/uv#18928)) - Fix `uv init example-bare --bare` examples ([#​18822](astral-sh/uv#18822), [#​18925](astral-sh/uv#18925)) ### [`v0.11.4`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0114) [Compare Source](astral-sh/uv@0.11.3...0.11.4) Released on 2026-04-07. ##### Enhancements - Add support for `--upgrade-group` ([#​18266](astral-sh/uv#18266)) - Merge repeated archive URL hashes by version ID ([#​18841](astral-sh/uv#18841)) - Require all direct URL hash algorithms to match ([#​18842](astral-sh/uv#18842)) ##### Bug fixes - Avoid panics in environment finding via cycle detection ([#​18828](astral-sh/uv#18828)) - Enforce direct URL hashes for `pyproject.toml` dependencies ([#​18786](astral-sh/uv#18786)) - Error on `--locked` and `--frozen` when script lockfile is missing ([#​18832](astral-sh/uv#18832)) - Fix `uv export` extra resolution for workspace member and conflicting extras ([#​18888](astral-sh/uv#18888)) - Include conflicts defined in virtual workspace root ([#​18886](astral-sh/uv#18886)) - Recompute relative `exclude-newer` values during `uv tree --outdated` ([#​18899](astral-sh/uv#18899)) - Respect `--exclude-newer` in `uv tool list --outdated` ([#​18861](astral-sh/uv#18861)) - Sort by comparator to break specifier ties ([#​18850](astral-sh/uv#18850)) - Store relative timestamps in tool receipts ([#​18901](astral-sh/uv#18901)) - Track newly-activated extras when determining conflicts ([#​18852](astral-sh/uv#18852)) - Patch `Cargo.lock` in `uv-build` source distributions ([#​18831](astral-sh/uv#18831)) ##### Documentation - Clarify that `--exclude-newer` compares artifact upload times ([#​18830](astral-sh/uv#18830)) ### [`v0.11.3`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0113) [Compare Source](astral-sh/uv@0.11.2...0.11.3) Released on 2026-04-01. ##### Enhancements - Add progress bar for hashing phase in uv publish ([#​18752](astral-sh/uv#18752)) - Add support for ROCm 7.2 ([#​18730](astral-sh/uv#18730)) - Emit abi3t tags for every abi3 version ([#​18777](astral-sh/uv#18777)) - Expand `uv workspace metadata` with dependency information from the lock ([#​18356](astral-sh/uv#18356)) - Implement support for PEP 803 ([#​18767](astral-sh/uv#18767)) - Pretty-print platform in built wheel errors ([#​18738](astral-sh/uv#18738)) - Publish installers to `/installers/uv/latest` on the mirror ([#​18725](astral-sh/uv#18725)) - Show free-threaded Python in built-wheel errors ([#​18740](astral-sh/uv#18740)) ##### Preview features - Add `--ignore` and `--ignore-until-fixed` to `uv audit` ([#​18737](astral-sh/uv#18737)) ##### Bug fixes - Bump simple API cache ([#​18797](astral-sh/uv#18797)) - Don't drop `blake2b` hashes ([#​18794](astral-sh/uv#18794)) - Handle broken range request implementations ([#​18780](astral-sh/uv#18780)) - Remove `powerpc64-unknown-linux-gnu` from release build targets ([#​18800](astral-sh/uv#18800)) - Respect dependency metadata overrides in `uv pip check` ([#​18742](astral-sh/uv#18742)) - Support debug CPython ABI tags in environment compatibility ([#​18739](astral-sh/uv#18739)) ##### Documentation - Document `false` opt-out for `exclude-newer-package` ([#​18768](astral-sh/uv#18768), [#​18803](astral-sh/uv#18803)) ### [`v0.11.2`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0112) [Compare Source](astral-sh/uv@0.11.1...0.11.2) Released on 2026-03-26. ##### Enhancements - Add a dedicated Windows PE editing error ([#​18710](astral-sh/uv#18710)) - Make `uv self update` fetch the manifest from the mirror first ([#​18679](astral-sh/uv#18679)) - Use uv reqwest client for self update ([#​17982](astral-sh/uv#17982)) - Show `uv self update` success and failure messages with `--quiet` ([#​18645](astral-sh/uv#18645)) ##### Preview features - Evaluate extras and groups when determining auditable packages ([#​18511](astral-sh/uv#18511)) ##### Bug fixes - Skip redundant project configuration parsing for `uv run` ([#​17890](astral-sh/uv#17890)) ### [`v0.11.1`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01116) [Compare Source](astral-sh/uv@0.11.0...0.11.1) Released on 2026-05-21. ##### Enhancements - Add support for direct archive dependencies in Git ([#​10072](astral-sh/uv#10072)) - Adjust hint rendering ([#​18090](astral-sh/uv#18090)) ##### Preview features - uv audit: specialize malformed OSV error ([#​19515](astral-sh/uv#19515)) - Reject locked malware installations ([#​18936](astral-sh/uv#18936)) ##### Configuration - Allow disabling reading the system config with `UV_NO_SYSTEM_CONFIG` ([#​19476](astral-sh/uv#19476)) ##### Bug fixes - Allow environment variables that take a list to be empty ([#​19503](astral-sh/uv#19503)) - Ensure that incompatible wheel hints do not leak secrets ([#​19504](astral-sh/uv#19504)) - Reject unsafe entry points in `uv-build` ([#​19495](astral-sh/uv#19495)) - Restrict delimiters in entry point parsing ([#​19471](astral-sh/uv#19471)) - uv-netrc: fix multi-word no-space comment lines causing parse errors ([#​19494](astral-sh/uv#19494)) ##### Documentation - Document and test relative exclude-newer support for uv pip ([#​19475](astral-sh/uv#19475)) ### [`v0.11.0`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0110) [Compare Source](astral-sh/uv@0.10.12...0.11.0) Released on 2026-03-23. ##### Breaking changes This release includes changes to the networking stack used by uv. While we think that breakage will be rare, it is possible that these changes will result in the rejection of certificates previously trusted by uv so we have marked the change as breaking out of an abundance of caution. The changes are largely driven by the upgrade of reqwest, which powers uv's HTTP clients, to [v0.13](https://seanmonstar.com/blog/reqwest-v013-rustls-default/) which included some breaking changes to TLS certificate verification. The following changes are included: - [`rustls-platform-verifier`](https://github.com/rustls/rustls-platform-verifier) is used instead of [`rustls-native-certs`](https://github.com/rustls/rustls-native-certs) and [`webpki`](https://github.com/rustls/webpki) for certificate verification **This change should have no effect unless you are using the `native-tls` option to enable reading system certificates.** `rustls-platform-verifier` delegates to the system for certificate validation (e.g., `Security.framework` on macOS) instead of eagerly loading certificates from the system and verifying them via `webpki`. The effects of this change will vary based on the operating system. In general, uv's certificate validation should now be more consistent with browsers and other native applications. However, this is the most likely cause of breaking changes in this release. Some previously failing certificate chains may succeed, and some previously accepted certificate chains may fail. In either case, we expect the validation to be more correct and welcome reports of regressions. In particular, because more responsibility for validating the certificate is transferred to your system's security library, some features like [CA constraints](https://support.apple.com/en-us/103255) or [revocation of certificates](https://en.wikipedia.org/wiki/Certificate_revocation) via OCSP and CRLs may now be used. This change should improve performance when using system certificate on macOS, as uv no longer needs to load all certificates from the keychain at startup. - [`aws-lc`](https://github.com/aws/aws-lc) is used instead of `ring` for a cryptography backend There should not be breaking changes from this change. We expect this to expand support for certificate signature algorithms. - `--native-tls` is deprecated in favor of a new `--system-certs` flag The `--native-tls` flag is still usable and has identical behavior to `--system-certs.` This change was made to reduce confusion about the TLS implementation uv uses. uv always uses `rustls` not `native-tls`. - Building uv on x86-64 and i686 Windows requires NASM NASM is required by `aws-lc`. If not found on the system, a prebuilt blob provided by `aws-lc-sys` will be used. If you are not building uv from source, this change has no effect. See the [CONTRIBUTING](https://github.com/astral-sh/uv/blob/b6854d77bfd0cb78157fecaf8b30126c6f16bc11/CONTRIBUTING.md#setup) guide for details. - Empty `SSL_CERT_FILE` values are ignored (for consistency with `SSL_CERT_DIR`) See [#​18550](astral-sh/uv#18550) for details. ##### Python - Enable frame pointers for improved profiling on Linux x86-64 and aarch64 See the [python-build-standalone release notes](https://github.com/astral-sh/python-build-standalone/releases/20260320) for details. ##### Enhancements - Treat 'Dynamic' values as case-insensitive ([#​18669](astral-sh/uv#18669)) - Use a dedicated error for invalid cache control headers ([#​18657](astral-sh/uv#18657)) - Enable checksum verification in the generated installer script ([#​18625](astral-sh/uv#18625)) ##### Preview features - Add `--service-format` and `--service-url` to `uv audit` ([#​18571](astral-sh/uv#18571)) ##### Performance - Avoid holding flat index lock across indexes ([#​18659](astral-sh/uv#18659)) ##### Bug fixes - Find the dynamic linker on the file system when sniffing binaries fails ([#​18457](astral-sh/uv#18457)) - Fix export of conflicting workspace members with dependencies ([#​18666](astral-sh/uv#18666)) - Respect installed settings in `uv tool list --outdated` ([#​18586](astral-sh/uv#18586)) - Treat paths originating as PEP 508 URLs which contain expanded variables as relative ([#​18680](astral-sh/uv#18680)) - Fix `uv export` for workspace member packages with conflicts ([#​18635](astral-sh/uv#18635)) - Continue to alternative authentication providers when the pyx store has no token ([#​18425](astral-sh/uv#18425)) - Use redacted URLs for log messages in cached client ([#​18599](astral-sh/uv#18599)) ##### Documentation - Add details on Linux versions to the platform policy ([#​18574](astral-sh/uv#18574)) - Clarify `FLASH_ATTENTION_SKIP_CUDA_BUILD` guidance for `flash-attn` installs ([#​18473](astral-sh/uv#18473)) - Split the dependency bots page into two separate pages ([#​18597](astral-sh/uv#18597)) - Split the alternative indexes page into separate pages ([#​18607](astral-sh/uv#18607)) ### [`v0.10.12`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01012) [Compare Source](astral-sh/uv@0.10.11...0.10.12) Released on 2026-03-19. ##### Python - Add pypy 3.11.15 ([#​18468](astral-sh/uv#18468)) - Add support for using Python 3.6 interpreters ([#​18454](astral-sh/uv#18454)) ##### Enhancements - Include uv's target triple in version report ([#​18520](astral-sh/uv#18520)) - Allow comma separated values in `--no-emit-package` ([#​18565](astral-sh/uv#18565)) ##### Preview features - Show `uv audit` in the CLI help ([#​18540](astral-sh/uv#18540)) ##### Bug fixes - Improve reporting of managed interpreter symlinks in `uv python list` ([#​18459](astral-sh/uv#18459)) - Preserve end-of-line comments on previous entries when removing dependencies ([#​18557](astral-sh/uv#18557)) - Treat abi3 wheel Python version as a lower bound ([#​18536](astral-sh/uv#18536)) - Detect hard-float support on aarch64 kernels running armv7 userspace ([#​18530](astral-sh/uv#18530)) ##### Documentation - Add Python 3.15 to supported versions ([#​18552](astral-sh/uv#18552)) - Adjust the PyPy note ([#​18548](astral-sh/uv#18548)) - Move Pyodide to Tier 2 in the Python support policy ([#​18561](astral-sh/uv#18561)) - Move Rust and Python version support out of the Platform support policy ([#​18535](astral-sh/uv#18535)) - Update Docker guide with changes from `uv-docker-example` ([#​18558](astral-sh/uv#18558)) - Update the Python version policy ([#​18559](astral-sh/uv#18559)) ### [`v0.10.11`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01011) [Compare Source](astral-sh/uv@0.10.10...0.10.11) Released on 2026-03-16. ##### Enhancements - Fetch Ruff release metadata from an Astral mirror ([#​18358](astral-sh/uv#18358)) - Use PEP 639 license metadata for uv itself ([#​16477](astral-sh/uv#16477)) ##### Performance - Improve distribution id performance ([#​18486](astral-sh/uv#18486)) ##### Bug fixes - Allow `--project` to refer to a `pyproject.toml` directly and reduce to a warning on other files ([#​18513](astral-sh/uv#18513)) - Disable `SYSTEM_VERSION_COMPAT` when querying interpreters on macOS ([#​18452](astral-sh/uv#18452)) - Enforce available distributions for supported environments ([#​18451](astral-sh/uv#18451)) - Fix `uv sync --active` recreating active environments when `UV_PYTHON_INSTALL_DIR` is relative ([#​18398](astral-sh/uv#18398)) ##### Documentation - Add missing `-o requirements.txt` in `uv pip compile` example ([#​12308](astral-sh/uv#12308)) - Link to organization security policy ([#​18449](astral-sh/uv#18449)) - Link to the AI policy in the contributing guide ([#​18448](astral-sh/uv#18448)) ### [`v0.10.10`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01010) [Compare Source](astral-sh/uv@0.10.9...0.10.10) Released on 2026-03-13. ##### Python - Add CPython 3.15.0a7 ([#​18403](astral-sh/uv#18403)) ##### Enhancements - Add `--outdated` flag to `uv tool list` ([#​18318](astral-sh/uv#18318)) - Add riscv64 musl target to build-release-binaries workflow ([#​18228](astral-sh/uv#18228)) - Fetch Ruff from an Astral mirror ([#​18286](astral-sh/uv#18286)) - Improve error handling for platform detection in Python downloads ([#​18453](astral-sh/uv#18453)) - Warn if `--project` directory does not exist ([#​17714](astral-sh/uv#17714)) - Warn when workspace member scripts are skipped due to missing build system ([#​18389](astral-sh/uv#18389)) - Update build backend versions used in `uv init` ([#​18417](astral-sh/uv#18417)) - Log explicit config file path in verbose output ([#​18353](astral-sh/uv#18353)) - Make `uv cache clear` an alias of `uv cache clean` ([#​18420](astral-sh/uv#18420)) - Reject invalid classifiers, warn on license classifiers in `uv_build` ([#​18419](astral-sh/uv#18419)) ##### Preview features - Add links to `uv audit` output ([#​18392](https://github.com/astral-sh/uv/pull/18392)) - Output/report formatting for `uv audit` ([#​18193](https://github.com/astral-sh/uv/pull/18193)) - Switch to batched OSV queries for `uv audit` ([#​18394](https://github.com/astral-sh/uv/pull/18394)) ##### Bug fixes - Avoid sharing version metadata across indexes ([#​18373](https://github.com/astral-sh/uv/pull/18373)) - Bump zlib-rs to 0.6.2 to fix panic on decompression of large wheels on Windows ([#​18362](https://github.com/astral-sh/uv/pull/18362)) - Filter out unsupported environment wheels ([#​18445](https://github.com/astral-sh/uv/pull/18445)) - Preserve absolute/relative paths in lockfiles ([#​18176](https://github.com/astral-sh/uv/pull/18176)) - Recreate Python environments under `uv tool install --force` ([#​18399](https://github.com/astral-sh/uv/pull/18399)) - Respect timestamp and other cache keys in cached environments ([#​18396](https://github.com/astral-sh/uv/pull/18396)) - Simplify selected extra markers in `uv export` ([#​18433](https://github.com/astral-sh/uv/pull/18433)) - Send pyx mint-token requests with a proper `Content-Type` ([#​18334](https://github.com/astral-sh/uv/pull/18334)) - Fix Windows operating system and version reporting ([#​18383](https://github.com/astral-sh/uv/pull/18383)) ##### Documentation - Update the platform support policy with a tier 3 section including freebsd and 32-bit windows ([#​18345](https://github.com/astral-sh/uv/pull/18345)) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItcmVsZWFzZSIsInR5cGUvbWlub3IiXX0=--> Reviewed-on: https://forgejo.hayden.moe/hayden/phoebe/pulls/43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #18708
This is a backwards compatible approach to resolve the issue where this timestamp is causing merge conflicts.
This has no effect other than eliding the timestamp that was used for resolution. This value is write-only when using relative
exclude-newervalues.