Skip to content

Quote virtual environment activation paths with shell metacharacters#19798

Merged
zanieb merged 1 commit into
astral-sh:mainfrom
zaniebot:zb/quote-activation-paths
Jun 11, 2026
Merged

Quote virtual environment activation paths with shell metacharacters#19798
zanieb merged 1 commit into
astral-sh:mainfrom
zaniebot:zb/quote-activation-paths

Conversation

@zaniebot

Copy link
Copy Markdown
Contributor

Summary

Prior to this change, activation commands were only quoted when their paths contained spaces. Apostrophes and other shell metacharacters could therefore produce invalid or unsafe shell commands.

This PR matches Python's shlex.quote safe-character behavior so every unsafe path is single-quoted.

Test plan

  • cargo test -p uv-shell
  • cargo clippy -p uv-shell --all-targets -- -D warnings

Activation commands were only quoted when their paths contained spaces, leaving apostrophes and other shell metacharacters to produce invalid or unsafe shell commands.

Match Python shlex.quote safe-character behavior so every unsafe path is single-quoted.
@zanieb zanieb enabled auto-merge (squash) June 11, 2026 16:11
@zanieb zanieb merged commit d5c8a5f into astral-sh:main Jun 11, 2026
56 checks passed
@zanieb zanieb added the bug Something isn't working label Jun 11, 2026
blake-hamm added a commit to blake-hamm/bhamm-lab that referenced this pull request Jun 12, 2026
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ghcr.io/astral-sh/uv](https://github.com/astral-sh/uv) | stage | patch | `0.11.20` → `0.11.21` |

---

> ⚠️ **Warning**
>
> Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/155) for more information.

---

### Release Notes

<details>
<summary>astral-sh/uv (ghcr.io/astral-sh/uv)</summary>

### [`v0.11.21`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01121)

[Compare Source](astral-sh/uv@0.11.20...0.11.21)

Released on 2026-06-11.

##### Python

- Add CPython 3.13.14 and 3.14.6 ([#&#8203;19787](astral-sh/uv#19787))

##### Preview features

- Add `environment.root` to `uv workspace metadata --sync` ([#&#8203;19760](astral-sh/uv#19760))
- Allow `uv upgrade` to update a single dependency constraint ([#&#8203;19738](astral-sh/uv#19738))
- Compute and pass `uv workspace metadata` payload in `ty check` ([#&#8203;19763](astral-sh/uv#19763))
- Make packaged applications the default for `uv init` ([#&#8203;17841](astral-sh/uv#17841))

##### Performance

- Add parallel discovery of Python versions for `uv python list` ([#&#8203;18684](astral-sh/uv#18684))
- Avoid normalizing source distribution names twice ([#&#8203;19784](astral-sh/uv#19784))

##### Bug fixes

- Improve cache robustness and pruning behavior
  - Allow CI cache pruning without an sdist bucket ([#&#8203;19802](astral-sh/uv#19802))
  - Avoid overflow when reading malformed cache entries ([#&#8203;19799](astral-sh/uv#19799))
  - Preserve cached Python downloads during cache pruning ([#&#8203;19795](astral-sh/uv#19795))
  - Reject running inside the cache ([#&#8203;19659](astral-sh/uv#19659))
- Fix Python discovery and version request edge cases
  - Avoid panics for Unicode Python version requests ([#&#8203;19797](astral-sh/uv#19797))
  - Fix handling of non-critical errors in `uv python list` with path requests ([#&#8203;19774](astral-sh/uv#19774))
  - Fix stop-discovery-at regression ([#&#8203;19769](astral-sh/uv#19769))
- Harden parsing and validation for package metadata, requirements, markers, URLs, and conflict sets
  - Allow trailing commas in version specifiers ([#&#8203;19806](astral-sh/uv#19806))
  - Avoid panics for invalid UTF-8 URL credentials ([#&#8203;19800](astral-sh/uv#19800))
  - Avoid panics for malformed source distribution filenames ([#&#8203;19776](astral-sh/uv#19776))
  - Avoid panics for trailing extra separators ([#&#8203;19779](astral-sh/uv#19779))
  - Avoid stack overflow for recursive requirements path aliases ([#&#8203;19777](astral-sh/uv#19777))
  - Ignore reversed string compatible-release markers ([#&#8203;19782](astral-sh/uv#19782))
  - Reject duplicate entries in conflict sets ([#&#8203;19801](astral-sh/uv#19801))
  - Reject malformed hash options in requirements files ([#&#8203;19783](astral-sh/uv#19783))
  - Reject source distribution filenames without a separator ([#&#8203;19803](astral-sh/uv#19803))
  - Use UTF-8 lengths for requirement errors ([#&#8203;19781](astral-sh/uv#19781))
  - Use UTF-8 lengths for trailing marker errors ([#&#8203;19796](astral-sh/uv#19796))
  - Use byte offsets when peeking over requirements ([#&#8203;19780](astral-sh/uv#19780))
  - Validate GraalPy ABI suffixes ([#&#8203;19805](astral-sh/uv#19805))
- Improve wheel entry-point error handling and virtual environment activation quoting
  - Propagate errors when reading wheel entry points ([#&#8203;19794](astral-sh/uv#19794))
  - Quote virtual environment activation paths with shell metacharacters ([#&#8203;19798](astral-sh/uv#19798))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: Renovate Bot <renovate@bhamm-lab.com>
Reviewed-on: https://codeberg.org/blake-hamm/bhamm-lab/pulls/194
hbjydev pushed a commit to hbjydev/phoebe that referenced this pull request Jun 14, 2026
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [uv](https://github.com/astral-sh/uv) | patch | `0.11.19` → `0.11.21` |

---

### Release Notes

<details>
<summary>astral-sh/uv (uv)</summary>

### [`v0.11.21`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01121)

[Compare Source](astral-sh/uv@0.11.20...0.11.21)

Released on 2026-06-11.

##### Python

- Add CPython 3.13.14 and 3.14.6 ([#&#8203;19787](astral-sh/uv#19787))

##### Preview features

- Add `environment.root` to `uv workspace metadata --sync` ([#&#8203;19760](astral-sh/uv#19760))
- Allow `uv upgrade` to update a single dependency constraint ([#&#8203;19738](astral-sh/uv#19738))
- Compute and pass `uv workspace metadata` payload in `ty check` ([#&#8203;19763](astral-sh/uv#19763))
- Make packaged applications the default for `uv init` ([#&#8203;17841](astral-sh/uv#17841))

##### Performance

- Add parallel discovery of Python versions for `uv python list` ([#&#8203;18684](astral-sh/uv#18684))
- Avoid normalizing source distribution names twice ([#&#8203;19784](astral-sh/uv#19784))

##### Bug fixes

- Improve cache robustness and pruning behavior
  - Allow CI cache pruning without an sdist bucket ([#&#8203;19802](astral-sh/uv#19802))
  - Avoid overflow when reading malformed cache entries ([#&#8203;19799](astral-sh/uv#19799))
  - Preserve cached Python downloads during cache pruning ([#&#8203;19795](astral-sh/uv#19795))
  - Reject running inside the cache ([#&#8203;19659](astral-sh/uv#19659))
- Fix Python discovery and version request edge cases
  - Avoid panics for Unicode Python version requests ([#&#8203;19797](astral-sh/uv#19797))
  - Fix handling of non-critical errors in `uv python list` with path requests ([#&#8203;19774](astral-sh/uv#19774))
  - Fix stop-discovery-at regression ([#&#8203;19769](astral-sh/uv#19769))
- Harden parsing and validation for package metadata, requirements, markers, URLs, and conflict sets
  - Allow trailing commas in version specifiers ([#&#8203;19806](astral-sh/uv#19806))
  - Avoid panics for invalid UTF-8 URL credentials ([#&#8203;19800](astral-sh/uv#19800))
  - Avoid panics for malformed source distribution filenames ([#&#8203;19776](astral-sh/uv#19776))
  - Avoid panics for trailing extra separators ([#&#8203;19779](astral-sh/uv#19779))
  - Avoid stack overflow for recursive requirements path aliases ([#&#8203;19777](astral-sh/uv#19777))
  - Ignore reversed string compatible-release markers ([#&#8203;19782](astral-sh/uv#19782))
  - Reject duplicate entries in conflict sets ([#&#8203;19801](astral-sh/uv#19801))
  - Reject malformed hash options in requirements files ([#&#8203;19783](astral-sh/uv#19783))
  - Reject source distribution filenames without a separator ([#&#8203;19803](astral-sh/uv#19803))
  - Use UTF-8 lengths for requirement errors ([#&#8203;19781](astral-sh/uv#19781))
  - Use UTF-8 lengths for trailing marker errors ([#&#8203;19796](astral-sh/uv#19796))
  - Use byte offsets when peeking over requirements ([#&#8203;19780](astral-sh/uv#19780))
  - Validate GraalPy ABI suffixes ([#&#8203;19805](astral-sh/uv#19805))
- Improve wheel entry-point error handling and virtual environment activation quoting
  - Propagate errors when reading wheel entry points ([#&#8203;19794](astral-sh/uv#19794))
  - Quote virtual environment activation paths with shell metacharacters ([#&#8203;19798](astral-sh/uv#19798))

### [`v0.11.20`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01120)

[Compare Source](astral-sh/uv@0.11.19...0.11.20)

Released on 2026-06-10.

##### Enhancements

- Add `--emit-index-url` and `--emit-find-links` to `uv export` ([#&#8203;18370](astral-sh/uv#18370))
- Add `--find-links` support for `uv pip list` ([#&#8203;16103](astral-sh/uv#16103))
- Group executable install errors during `uv python install` ([#&#8203;19691](astral-sh/uv#19691))
- Use ICF in macOS release builds to reduce binary sizes ([#&#8203;19615](astral-sh/uv#19615))

##### Preview features

- Add initial hidden `uv upgrade` command ([#&#8203;19678](astral-sh/uv#19678))
- Reject Git revisions in `uv upgrade` ([#&#8203;19742](astral-sh/uv#19742))

##### Configuration

- Recognize `UV_NO_INSTALL_PROJECT`, `UV_NO_INSTALL_WORKSPACE`, `UV_NO_INSTALL_LOCAL` ([#&#8203;19323](astral-sh/uv#19323))

##### Performance

- Speed up discovery of large workspaces ([#&#8203;18311](astral-sh/uv#18311))

##### Bug fixes

- Allow unknown preview flags with a warning again ([#&#8203;19669](astral-sh/uv#19669))
- Apply dependency exclusions to direct requirements ([#&#8203;19699](astral-sh/uv#19699))
- Avoid following external symlinks during cache clean ([#&#8203;19682](astral-sh/uv#19682))
- Avoid following symlinks during cache prune ([#&#8203;19543](astral-sh/uv#19543))
- Fix Git cache keys for worktrees and packed refs ([#&#8203;19706](astral-sh/uv#19706))
- Make resolver error handling iterative to avoid stack overflows ([#&#8203;19695](astral-sh/uv#19695))
- Pass `VIRTUAL_ENV` through `cygpath` inside `fish` on Windows ([#&#8203;19703](astral-sh/uv#19703))
- Rebuild explicit local directory tool installs ([#&#8203;19591](astral-sh/uv#19591))
- Validate egg top-level entries as identifiers ([#&#8203;19679](astral-sh/uv#19679))

##### Documentation

- Document `--find-links` caching behavior ([#&#8203;19585](astral-sh/uv#19585))
- Add a small section for malware checks ([#&#8203;19680](astral-sh/uv#19680))

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItcmVsZWFzZSIsInR5cGUvcGF0Y2giXX0=-->

Reviewed-on: https://forgejo.hayden.moe/hayden/phoebe/pulls/92
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants