Reject malformed hash options in requirements files#19783
Merged
Conversation
Merging this PR will improve performance by 5.79%
Performance Changes
Tip Curious why this is faster? Use the CodSpeed MCP and ask your agent. Comparing |
blake-hamm
added a commit
to blake-hamm/bhamm-lab
that referenced
this pull request
Jun 12, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ghcr.io/astral-sh/uv](https://github.com/astral-sh/uv) | stage | patch | `0.11.20` → `0.11.21` | --- >⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/155) for more information. --- ### Release Notes <details> <summary>astral-sh/uv (ghcr.io/astral-sh/uv)</summary> ### [`v0.11.21`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01121) [Compare Source](astral-sh/uv@0.11.20...0.11.21) Released on 2026-06-11. ##### Python - Add CPython 3.13.14 and 3.14.6 ([#​19787](astral-sh/uv#19787)) ##### Preview features - Add `environment.root` to `uv workspace metadata --sync` ([#​19760](astral-sh/uv#19760)) - Allow `uv upgrade` to update a single dependency constraint ([#​19738](astral-sh/uv#19738)) - Compute and pass `uv workspace metadata` payload in `ty check` ([#​19763](astral-sh/uv#19763)) - Make packaged applications the default for `uv init` ([#​17841](astral-sh/uv#17841)) ##### Performance - Add parallel discovery of Python versions for `uv python list` ([#​18684](astral-sh/uv#18684)) - Avoid normalizing source distribution names twice ([#​19784](astral-sh/uv#19784)) ##### Bug fixes - Improve cache robustness and pruning behavior - Allow CI cache pruning without an sdist bucket ([#​19802](astral-sh/uv#19802)) - Avoid overflow when reading malformed cache entries ([#​19799](astral-sh/uv#19799)) - Preserve cached Python downloads during cache pruning ([#​19795](astral-sh/uv#19795)) - Reject running inside the cache ([#​19659](astral-sh/uv#19659)) - Fix Python discovery and version request edge cases - Avoid panics for Unicode Python version requests ([#​19797](astral-sh/uv#19797)) - Fix handling of non-critical errors in `uv python list` with path requests ([#​19774](astral-sh/uv#19774)) - Fix stop-discovery-at regression ([#​19769](astral-sh/uv#19769)) - Harden parsing and validation for package metadata, requirements, markers, URLs, and conflict sets - Allow trailing commas in version specifiers ([#​19806](astral-sh/uv#19806)) - Avoid panics for invalid UTF-8 URL credentials ([#​19800](astral-sh/uv#19800)) - Avoid panics for malformed source distribution filenames ([#​19776](astral-sh/uv#19776)) - Avoid panics for trailing extra separators ([#​19779](astral-sh/uv#19779)) - Avoid stack overflow for recursive requirements path aliases ([#​19777](astral-sh/uv#19777)) - Ignore reversed string compatible-release markers ([#​19782](astral-sh/uv#19782)) - Reject duplicate entries in conflict sets ([#​19801](astral-sh/uv#19801)) - Reject malformed hash options in requirements files ([#​19783](astral-sh/uv#19783)) - Reject source distribution filenames without a separator ([#​19803](astral-sh/uv#19803)) - Use UTF-8 lengths for requirement errors ([#​19781](astral-sh/uv#19781)) - Use UTF-8 lengths for trailing marker errors ([#​19796](astral-sh/uv#19796)) - Use byte offsets when peeking over requirements ([#​19780](astral-sh/uv#19780)) - Validate GraalPy ABI suffixes ([#​19805](astral-sh/uv#19805)) - Improve wheel entry-point error handling and virtual environment activation quoting - Propagate errors when reading wheel entry points ([#​19794](astral-sh/uv#19794)) - Quote virtual environment activation paths with shell metacharacters ([#​19798](astral-sh/uv#19798)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: Renovate Bot <renovate@bhamm-lab.com> Reviewed-on: https://codeberg.org/blake-hamm/bhamm-lab/pulls/194
hbjydev
pushed a commit
to hbjydev/phoebe
that referenced
this pull request
Jun 14, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [uv](https://github.com/astral-sh/uv) | patch | `0.11.19` → `0.11.21` | --- ### Release Notes <details> <summary>astral-sh/uv (uv)</summary> ### [`v0.11.21`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01121) [Compare Source](astral-sh/uv@0.11.20...0.11.21) Released on 2026-06-11. ##### Python - Add CPython 3.13.14 and 3.14.6 ([#​19787](astral-sh/uv#19787)) ##### Preview features - Add `environment.root` to `uv workspace metadata --sync` ([#​19760](astral-sh/uv#19760)) - Allow `uv upgrade` to update a single dependency constraint ([#​19738](astral-sh/uv#19738)) - Compute and pass `uv workspace metadata` payload in `ty check` ([#​19763](astral-sh/uv#19763)) - Make packaged applications the default for `uv init` ([#​17841](astral-sh/uv#17841)) ##### Performance - Add parallel discovery of Python versions for `uv python list` ([#​18684](astral-sh/uv#18684)) - Avoid normalizing source distribution names twice ([#​19784](astral-sh/uv#19784)) ##### Bug fixes - Improve cache robustness and pruning behavior - Allow CI cache pruning without an sdist bucket ([#​19802](astral-sh/uv#19802)) - Avoid overflow when reading malformed cache entries ([#​19799](astral-sh/uv#19799)) - Preserve cached Python downloads during cache pruning ([#​19795](astral-sh/uv#19795)) - Reject running inside the cache ([#​19659](astral-sh/uv#19659)) - Fix Python discovery and version request edge cases - Avoid panics for Unicode Python version requests ([#​19797](astral-sh/uv#19797)) - Fix handling of non-critical errors in `uv python list` with path requests ([#​19774](astral-sh/uv#19774)) - Fix stop-discovery-at regression ([#​19769](astral-sh/uv#19769)) - Harden parsing and validation for package metadata, requirements, markers, URLs, and conflict sets - Allow trailing commas in version specifiers ([#​19806](astral-sh/uv#19806)) - Avoid panics for invalid UTF-8 URL credentials ([#​19800](astral-sh/uv#19800)) - Avoid panics for malformed source distribution filenames ([#​19776](astral-sh/uv#19776)) - Avoid panics for trailing extra separators ([#​19779](astral-sh/uv#19779)) - Avoid stack overflow for recursive requirements path aliases ([#​19777](astral-sh/uv#19777)) - Ignore reversed string compatible-release markers ([#​19782](astral-sh/uv#19782)) - Reject duplicate entries in conflict sets ([#​19801](astral-sh/uv#19801)) - Reject malformed hash options in requirements files ([#​19783](astral-sh/uv#19783)) - Reject source distribution filenames without a separator ([#​19803](astral-sh/uv#19803)) - Use UTF-8 lengths for requirement errors ([#​19781](astral-sh/uv#19781)) - Use UTF-8 lengths for trailing marker errors ([#​19796](astral-sh/uv#19796)) - Use byte offsets when peeking over requirements ([#​19780](astral-sh/uv#19780)) - Validate GraalPy ABI suffixes ([#​19805](astral-sh/uv#19805)) - Improve wheel entry-point error handling and virtual environment activation quoting - Propagate errors when reading wheel entry points ([#​19794](astral-sh/uv#19794)) - Quote virtual environment activation paths with shell metacharacters ([#​19798](astral-sh/uv#19798)) ### [`v0.11.20`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01120) [Compare Source](astral-sh/uv@0.11.19...0.11.20) Released on 2026-06-10. ##### Enhancements - Add `--emit-index-url` and `--emit-find-links` to `uv export` ([#​18370](astral-sh/uv#18370)) - Add `--find-links` support for `uv pip list` ([#​16103](astral-sh/uv#16103)) - Group executable install errors during `uv python install` ([#​19691](astral-sh/uv#19691)) - Use ICF in macOS release builds to reduce binary sizes ([#​19615](astral-sh/uv#19615)) ##### Preview features - Add initial hidden `uv upgrade` command ([#​19678](astral-sh/uv#19678)) - Reject Git revisions in `uv upgrade` ([#​19742](astral-sh/uv#19742)) ##### Configuration - Recognize `UV_NO_INSTALL_PROJECT`, `UV_NO_INSTALL_WORKSPACE`, `UV_NO_INSTALL_LOCAL` ([#​19323](astral-sh/uv#19323)) ##### Performance - Speed up discovery of large workspaces ([#​18311](astral-sh/uv#18311)) ##### Bug fixes - Allow unknown preview flags with a warning again ([#​19669](astral-sh/uv#19669)) - Apply dependency exclusions to direct requirements ([#​19699](astral-sh/uv#19699)) - Avoid following external symlinks during cache clean ([#​19682](astral-sh/uv#19682)) - Avoid following symlinks during cache prune ([#​19543](astral-sh/uv#19543)) - Fix Git cache keys for worktrees and packed refs ([#​19706](astral-sh/uv#19706)) - Make resolver error handling iterative to avoid stack overflows ([#​19695](astral-sh/uv#19695)) - Pass `VIRTUAL_ENV` through `cygpath` inside `fish` on Windows ([#​19703](astral-sh/uv#19703)) - Rebuild explicit local directory tool installs ([#​19591](astral-sh/uv#19591)) - Validate egg top-level entries as identifiers ([#​19679](astral-sh/uv#19679)) ##### Documentation - Document `--find-links` caching behavior ([#​19585](astral-sh/uv#19585)) - Add a small section for malware checks ([#​19680](astral-sh/uv#19680)) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/London) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItcmVsZWFzZSIsInR5cGUvcGF0Y2giXX0=--> Reviewed-on: https://forgejo.hayden.moe/hayden/phoebe/pulls/92
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Prior to this change, malformed hash options such as:
were accepted as if they contained a single valid
--hashoption.The parser used
eat_while("--hash")for the first hash token, which consumed repeated matching characters instead of requiring one exact option. Subsequent hash tokens already used exact matching.This PR uses exact matching for the first hash option too, so malformed spellings return a positioned parser error.