Skip to content

Use locked dependency selection for uv check --script#19989

Merged
zsol merged 1 commit into
mainfrom
zsol/uv-check-script-pinning
Jun 26, 2026
Merged

Use locked dependency selection for uv check --script#19989
zsol merged 1 commit into
mainfrom
zsol/uv-check-script-pinning

Conversation

@zsol

@zsol zsol commented Jun 25, 2026

Copy link
Copy Markdown
Member

uv check --script currently ignores a direct ty dependency from PEP 723 metadata when choosing the checker. The script environment contains the locked package, but uv still selects a standalone ty from its built-in compatible range, so the checker can differ from the script’s dependency graph.

This extends Lock::dependency_selection to include applicable lock-manifest requirements. When a script directly declares ty, uv check now runs the marker-selected locked package from the script environment, preserving its source and transitive dependencies without another resolution.

This is a followup to #19884 and it depends on #19982.

@zsol zsol changed the base branch from main to zsol/uv-lock-dependency-selection-api-v2 June 25, 2026 14:20
@astral-sh-bot

astral-sh-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

uv test inventory changes

This PR changes the tests when compared with the latest main baseline.

  • Added tests: 5
  • Removed tests: 4
  • Changed suites: 4
uv-resolver: +1 / -0

Added:

  • uv-resolver::lock::tests::dependency_selection_resolves_lock_manifest_requirement

Removed: none

uv::build: +0 / -3

Added: none

Removed:

  • uv::build::cache::build_allows_cache_outside_selected_source
  • uv::build::cache::build_rejects_cache_inside_source
  • uv::build::cache::build_rejects_symlinked_cache_inside_source
uv::lock_scenarios: +0 / -1

Added: none

Removed:

  • uv::lock_scenarios::lock_conflict::extra_conflict_environments_omit_redundant_markers
uv::project: +4 / -0

Added:

  • uv::project::check::check_script_ignores_transitive_ty_for_tool_selection
  • uv::project::check::check_script_ty_override_precedence
  • uv::project::check::check_script_uses_ty_from_path_with_transitive_dependency
  • uv::project::check::check_script_uses_ty_version_from_forked_lock

Removed: none

@zsol zsol force-pushed the zsol/uv-lock-dependency-selection-api-v2 branch from 71fa7bd to 7db8448 Compare June 25, 2026 14:52
@zsol zsol force-pushed the zsol/uv-check-script-pinning branch from 729b7b3 to 78a68c7 Compare June 26, 2026 09:50
@zsol zsol marked this pull request as ready for review June 26, 2026 09:56
Comment on lines +308 to +309
/// The dependency can come from the lock manifest, a dependency group, the production packages,
/// or a combination thereof.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Separately, we need to get rid of this "directly attached to the lock manifest" concept. I get it's a special case for scripts and virtual projects or something, but the dependency is just a "production" dependency of a script in this case. I think we probably can improve some concepts or abstractions somewhere. cc @Gankra

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed.

@zsol zsol force-pushed the zsol/uv-lock-dependency-selection-api-v2 branch from 2ce9c30 to b332bc1 Compare June 26, 2026 13:20
Base automatically changed from zsol/uv-lock-dependency-selection-api-v2 to main June 26, 2026 13:26
@zsol zsol force-pushed the zsol/uv-check-script-pinning branch from 78a68c7 to 9d4ad6e Compare June 26, 2026 13:41
@zsol zsol force-pushed the zsol/uv-check-script-pinning branch from 9d4ad6e to 97588bb Compare June 26, 2026 13:51
@zsol zsol enabled auto-merge (squash) June 26, 2026 15:21
@zsol zsol merged commit 27023ab into main Jun 26, 2026
108 of 110 checks passed
@zsol zsol deleted the zsol/uv-check-script-pinning branch June 26, 2026 15:26
blake-hamm added a commit to blake-hamm/bhamm-lab that referenced this pull request Jun 27, 2026
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ghcr.io/astral-sh/uv](https://github.com/astral-sh/uv) | stage | patch | `0.11.24` → `0.11.25` |

---

### Release Notes

<details>
<summary>astral-sh/uv (ghcr.io/astral-sh/uv)</summary>

### [`v0.11.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01125)

[Compare Source](astral-sh/uv@0.11.24...0.11.25)

Released on 2026-06-26.

##### Security

This release updates our tar library, [astral-tokio-tar](https://github.com/astral-sh/tokio-tar), to v0.6.3, which includes over 20 changes that harden our tar handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/tokio-tar@v0.6.2...v0.6.3) for a full list of changes.

##### Enhancements

- Add a full "lockfile" to tool receipts ([#&#8203;18937](astral-sh/uv#18937))
- Allow scoped overrides to add dependencies ([#&#8203;19974](astral-sh/uv#19974))
- Avoid writing redundant lockfile markers with `tool.uv.environments` ([#&#8203;19933](astral-sh/uv#19933))
- Factor supported environments out of lockfile markers ([#&#8203;19969](astral-sh/uv#19969))
- Recommend our own build backend in the build frontend ([#&#8203;19994](astral-sh/uv#19994))
- Reject wheels with multiple .dist-info directories ([#&#8203;19986](astral-sh/uv#19986))
- Simplify dependency markers under parent reachability ([#&#8203;19971](astral-sh/uv#19971))
- Support scoped dependency exclusions ([#&#8203;19977](astral-sh/uv#19977))
- Support scoped dependency overrides ([#&#8203;19970](astral-sh/uv#19970))
- Explain why files are skipped in registry index parsing ([#&#8203;19983](astral-sh/uv#19983))

##### Preview features

- Add `uv workspace list --scripts` ([#&#8203;20009](astral-sh/uv#20009))
- Support centralised environments in `uv venv` ([#&#8203;19912](astral-sh/uv#19912))
- Use locked ty versions in `uv check` ([#&#8203;19884](astral-sh/uv#19884))
- Add centralized storage of project environments ([#&#8203;18214](astral-sh/uv#18214))
- Verify lockfile hashes before reusing a cached ty in `uv check` ([#&#8203;19995](astral-sh/uv#19995))
- Use locked dependency selection for `uv check --script` ([#&#8203;19989](astral-sh/uv#19989))

##### Bug fixes

- Preserve standalone markers in workspace metadata ([#&#8203;20011](astral-sh/uv#20011))
- Reject `uv build` if the cache dir is enclosed ([#&#8203;19991](astral-sh/uv#19991))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: Renovate Bot <renovate@bhamm-lab.com>
Reviewed-on: https://codeberg.org/blake-hamm/bhamm-lab/pulls/230
hbjydev pushed a commit to hbjydev/containers that referenced this pull request Jun 29, 2026
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ghcr.io/astral-sh/uv](https://github.com/astral-sh/uv) | final | patch | `0.11.24` → `0.11.25` |

---

### Release Notes

<details>
<summary>astral-sh/uv (ghcr.io/astral-sh/uv)</summary>

### [`v0.11.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01125)

[Compare Source](astral-sh/uv@0.11.24...0.11.25)

Released on 2026-06-26.

##### Security

This release updates our tar library, [astral-tokio-tar](https://github.com/astral-sh/tokio-tar), to v0.6.3, which includes over 20 changes that harden our tar handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/tokio-tar@v0.6.2...v0.6.3) for a full list of changes.

##### Enhancements

- Add a full "lockfile" to tool receipts ([#&#8203;18937](astral-sh/uv#18937))
- Allow scoped overrides to add dependencies ([#&#8203;19974](astral-sh/uv#19974))
- Avoid writing redundant lockfile markers with `tool.uv.environments` ([#&#8203;19933](astral-sh/uv#19933))
- Factor supported environments out of lockfile markers ([#&#8203;19969](astral-sh/uv#19969))
- Recommend our own build backend in the build frontend ([#&#8203;19994](astral-sh/uv#19994))
- Reject wheels with multiple .dist-info directories ([#&#8203;19986](astral-sh/uv#19986))
- Simplify dependency markers under parent reachability ([#&#8203;19971](astral-sh/uv#19971))
- Support scoped dependency exclusions ([#&#8203;19977](astral-sh/uv#19977))
- Support scoped dependency overrides ([#&#8203;19970](astral-sh/uv#19970))
- Explain why files are skipped in registry index parsing ([#&#8203;19983](astral-sh/uv#19983))

##### Preview features

- Add `uv workspace list --scripts` ([#&#8203;20009](astral-sh/uv#20009))
- Support centralised environments in `uv venv` ([#&#8203;19912](astral-sh/uv#19912))
- Use locked ty versions in `uv check` ([#&#8203;19884](astral-sh/uv#19884))
- Add centralized storage of project environments ([#&#8203;18214](astral-sh/uv#18214))
- Verify lockfile hashes before reusing a cached ty in `uv check` ([#&#8203;19995](astral-sh/uv#19995))
- Use locked dependency selection for `uv check --script` ([#&#8203;19989](astral-sh/uv#19989))

##### Bug fixes

- Preserve standalone markers in workspace metadata ([#&#8203;20011](astral-sh/uv#20011))
- Reject `uv build` if the cache dir is enclosed ([#&#8203;19991](astral-sh/uv#19991))

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->

Reviewed-on: https://forgejo.hayden.moe/hayden/containers/pulls/13
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Jul 9, 2026
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [uv](https://github.com/astral-sh/uv) | patch | `0.11.21` → `0.11.28` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (uv)</summary>

### [`v0.11.28`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01128)

[Compare Source](astral-sh/uv@0.11.27...0.11.28)

Released on 2026-07-07.

##### Security

This release updates our ZIP library, [astral-async-zip](https://github.com/astral-sh/rs-async-zip), to v0.0.20, which includes 15 changes that harden our ZIP handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject ZIP archives with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/rs-async-zip@v0.0.18...v0.0.20) for a full list of changes.

##### Python

- Upgrade GraalPy to 25.1.3 ([#&#8203;20069](astral-sh/uv#20069))

##### Enhancements

- Improve trace logs for unexpected error chains ([#&#8203;20220](astral-sh/uv#20220))
- Move lockfile update guidance to a hint ([#&#8203;20219](astral-sh/uv#20219))
- Preserve indentation for multiline error causes ([#&#8203;20156](astral-sh/uv#20156))
- Render user errors with their cause chains ([#&#8203;20217](astral-sh/uv#20217))
- Route final command errors through the printer to respect `-q` and `-qq` ([#&#8203;20163](astral-sh/uv#20163))
- Use standard rendering for `uv build` errors ([#&#8203;20159](astral-sh/uv#20159))
- Use standard rendering for tool requirement errors ([#&#8203;20160](astral-sh/uv#20160))

##### Performance

- Only compile bytecode for installed distributions in `uv pip install` ([#&#8203;19914](astral-sh/uv#19914))
- Avoid allocating URL-safe Git revisions ([#&#8203;20194](astral-sh/uv#20194))
- Avoid allocating canonical Python request strings ([#&#8203;20193](astral-sh/uv#20193))
- Avoid allocating custom Astral mirror URLs ([#&#8203;20204](astral-sh/uv#20204))
- Avoid allocating expanded compatibility tags ([#&#8203;20190](astral-sh/uv#20190))
- Avoid allocating shell strings that need no escaping ([#&#8203;20196](astral-sh/uv#20196))
- Avoid allocating static ABI descriptions ([#&#8203;20201](astral-sh/uv#20201))
- Avoid allocating static Windows executable names ([#&#8203;20200](astral-sh/uv#20200))
- Avoid allocating static dependency table names ([#&#8203;20199](astral-sh/uv#20199))
- Avoid allocating static platform triple components ([#&#8203;20195](astral-sh/uv#20195))
- Avoid allocating static resolver report labels ([#&#8203;20198](astral-sh/uv#20198))
- Avoid allocating static unavailable-version messages ([#&#8203;20197](astral-sh/uv#20197))
- Avoid allocating unchanged Python download architectures ([#&#8203;20202](astral-sh/uv#20202))
- Avoid allocating unchanged paths during case normalization ([#&#8203;20203](astral-sh/uv#20203))
- Avoid allocations when expanding group conflicts ([#&#8203;20211](astral-sh/uv#20211))
- Avoid allocations when formatting requirements ([#&#8203;20206](astral-sh/uv#20206))
- Avoid cloning credential lookup services ([#&#8203;20210](astral-sh/uv#20210))
- Avoid cloning dry-run distributions ([#&#8203;20209](astral-sh/uv#20209))
- Avoid cloning owned dependency metadata ([#&#8203;20212](astral-sh/uv#20212))
- Avoid redundant direct URL clones ([#&#8203;20207](astral-sh/uv#20207))
- Create metadata version errors lazily ([#&#8203;20205](astral-sh/uv#20205))
- Optimize expanded tag compatibility checks ([#&#8203;20171](astral-sh/uv#20171))
- Optimize parsing of single-digit three-part versions ([#&#8203;20118](astral-sh/uv#20118))

##### Bug fixes

- Avoid overflow when computing HTTP cache age ([#&#8203;20178](astral-sh/uv#20178))
- Respect `--upgrade` when `upgrade-package` is configured ([#&#8203;19955](astral-sh/uv#19955))
- Support `uv tree` in dependency-group-only projects ([#&#8203;20167](astral-sh/uv#20167))
- Treat cache entries as stale at exact expiration ([#&#8203;20183](astral-sh/uv#20183))

### [`v0.11.27`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01127)

[Compare Source](astral-sh/uv@0.11.26...0.11.27)

Released on 2026-07-06.

##### Enhancements

- Continue on ignored errors when fetching wheel metadata ([#&#8203;12255](astral-sh/uv#12255))
- Use caching for `--python-downloads-json-url` ([#&#8203;16749](astral-sh/uv#16749))

##### Preview features

- Discover extensionless shebang scripts in `uv workspace list --scripts` ([#&#8203;20099](astral-sh/uv#20099))

##### Performance

- Avoid full site-packages scans for direct reinstalls ([#&#8203;20119](astral-sh/uv#20119))
- Avoid redundant pyproject parsing ([#&#8203;20076](astral-sh/uv#20076))
- Cache default dependency markers when reading locks ([#&#8203;20125](astral-sh/uv#20125))
- Enable SIMD-accelerated TOML parsing ([#&#8203;20079](astral-sh/uv#20079))
- Intern `requires-python` specifiers in Simple API parsing ([#&#8203;20104](astral-sh/uv#20104))
- Read cache entries into exact-sized buffers ([#&#8203;20120](astral-sh/uv#20120))
- Reduce VersionSpecifiers parsing allocations ([#&#8203;20105](astral-sh/uv#20105))
- Reduce site-packages scan allocation overhead ([#&#8203;20087](astral-sh/uv#20087))
- Reuse package names when parsing wheel filenames ([#&#8203;20110](astral-sh/uv#20110))
- Sort Simple API files after grouping ([#&#8203;20112](astral-sh/uv#20112))

##### Bug fixes

- Always emit `packages` table for pylock.toml ([#&#8203;20145](astral-sh/uv#20145))
- Avoid blank line for empty `uv pip tree` ([#&#8203;20062](astral-sh/uv#20062))
- Encode hashes in file paths ([#&#8203;19807](astral-sh/uv#19807))
- Error on a registry uv.lock package without a version instead of panicking ([#&#8203;19855](astral-sh/uv#19855))
- Preserve conditional extra markers in exports ([#&#8203;20148](astral-sh/uv#20148))
- Skip the ambiguous authority check for file transport VCS URLs ([#&#8203;20086](astral-sh/uv#20086))
- Sync index format when `uv add --index` updates an existing index URL ([#&#8203;19818](astral-sh/uv#19818))

##### Other changes

- Re-add `pub` APIs used in Pixi ([#&#8203;20074](astral-sh/uv#20074))
- Update Rust toolchain to 1.96.1 ([#&#8203;20103](astral-sh/uv#20103))

### [`v0.11.26`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01126)

[Compare Source](astral-sh/uv@0.11.25...0.11.26)

Released on 2026-06-30.

##### Performance

- Adapt uv to IDs-only PubGrub dependencies ([#&#8203;20048](astral-sh/uv#20048))
- Avoid allocations in `ForkMap::contains` ([#&#8203;20023](astral-sh/uv#20023))
- Reuse resolver work across PubGrub iterations ([#&#8203;20020](astral-sh/uv#20020))
- Speed up candidate selection for disjoint ranges ([#&#8203;20026](astral-sh/uv#20026))

##### Bug fixes

- Warn when the build cache is inside the source directory ([#&#8203;20056](astral-sh/uv#20056))

### [`v0.11.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01125)

[Compare Source](astral-sh/uv@0.11.24...0.11.25)

Released on 2026-06-26.

##### Security

This release updates our tar library, [astral-tokio-tar](https://github.com/astral-sh/tokio-tar), to v0.6.3, which includes over 20 changes that harden our tar handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/tokio-tar@v0.6.2...v0.6.3) for a full list of changes.

##### Enhancements

- Add a full "lockfile" to tool receipts ([#&#8203;18937](astral-sh/uv#18937))
- Allow scoped overrides to add dependencies ([#&#8203;19974](astral-sh/uv#19974))
- Avoid writing redundant lockfile markers with `tool.uv.environments` ([#&#8203;19933](astral-sh/uv#19933))
- Factor supported environments out of lockfile markers ([#&#8203;19969](astral-sh/uv#19969))
- Recommend our own build backend in the build frontend ([#&#8203;19994](astral-sh/uv#19994))
- Reject wheels with multiple .dist-info directories ([#&#8203;19986](astral-sh/uv#19986))
- Simplify dependency markers under parent reachability ([#&#8203;19971](astral-sh/uv#19971))
- Support scoped dependency exclusions ([#&#8203;19977](astral-sh/uv#19977))
- Support scoped dependency overrides ([#&#8203;19970](astral-sh/uv#19970))
- Explain why files are skipped in registry index parsing ([#&#8203;19983](astral-sh/uv#19983))

##### Preview features

- Add `uv workspace list --scripts` ([#&#8203;20009](astral-sh/uv#20009))
- Support centralised environments in `uv venv` ([#&#8203;19912](astral-sh/uv#19912))
- Use locked ty versions in `uv check` ([#&#8203;19884](astral-sh/uv#19884))
- Add centralized storage of project environments ([#&#8203;18214](astral-sh/uv#18214))
- Verify lockfile hashes before reusing a cached ty in `uv check` ([#&#8203;19995](astral-sh/uv#19995))
- Use locked dependency selection for `uv check --script` ([#&#8203;19989](astral-sh/uv#19989))

##### Bug fixes

- Preserve standalone markers in workspace metadata ([#&#8203;20011](astral-sh/uv#20011))
- Reject `uv build` if the cache dir is enclosed ([#&#8203;19991](astral-sh/uv#19991))

### [`v0.11.24`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01124)

[Compare Source](astral-sh/uv@0.11.23...0.11.24)

Released on 2026-06-23.

##### Python

- Add CPython 3.15.0b3 ([#&#8203;19964](astral-sh/uv#19964))

##### Preview features

- Make project environments relocatable under preview ([#&#8203;19965](astral-sh/uv#19965))

##### Performance

- Use a compact index for lazy version maps ([#&#8203;19959](astral-sh/uv#19959))

##### Bug fixes

- Allow disabling `exclude-newer` ([#&#8203;19934](astral-sh/uv#19934))
- Avoid archive id collisions ([#&#8203;19949](astral-sh/uv#19949))
- Reapply "Fix transparent Python upgrades in project environments" ([#&#8203;19928](astral-sh/uv#19928))
- Clean up partial tool entrypoint installs ([#&#8203;19966](astral-sh/uv#19966))
- Fix relocatable `activate.fish` and broaden Fish version support ([#&#8203;19856](astral-sh/uv#19856))

### [`v0.11.23`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01123)

[Compare Source](astral-sh/uv@0.11.22...0.11.23)

Released on 2026-06-19.

##### Bug fixes

- Revert "Fix transparent Python upgrades in project environments" to mitigate unintended breakage in `pre-commit-uv` ([#&#8203;19925](astral-sh/uv#19925))
- Restore old behavior where workspace members "hidden" by an intermediate `pyproject.toml` would be treated as standalone projects ([#&#8203;19926](astral-sh/uv#19926))

### [`v0.11.22`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01122)

[Compare Source](astral-sh/uv@0.11.21...0.11.22)

Released on 2026-06-18.

##### Enhancements

- Publish wheels before sdists in `uv publish` ([#&#8203;19831](astral-sh/uv#19831))
- Add `TY` and `RUFF` env vars for providing paths for binaries used by `uv format` and `uv check` ([#&#8203;19821](astral-sh/uv#19821))

##### Preview features

- Allow configuring preview features in `uv.toml` and `pyproject.toml` ([#&#8203;18437](astral-sh/uv#18437))
- Update the lockfile during `uv check --no-sync` ([#&#8203;19909](astral-sh/uv#19909))
- Add `--script` to `uv check` and `uv metadata` ([#&#8203;19860](astral-sh/uv#19860))
- Report workspace-exclusive dependency groups in `workspace metadata` ([#&#8203;19862](astral-sh/uv#19862))
- Support SARIF as a `uv audit` output ([#&#8203;19872](astral-sh/uv#19872))

##### Performance

- Use a more deadlock-resistant concurrent hashmap in the resolver ([#&#8203;19532](astral-sh/uv#19532))

##### Bug fixes

- Update string marker ordering semantics to match [upstream clarified rules](pypa/packaging.python.org#1988) ([#&#8203;19808](astral-sh/uv#19808))
- Reject extras that have the same normalized name ([#&#8203;19871](astral-sh/uv#19871))
- Reject dependency group `include-group` entries that have additional fields ([#&#8203;19866](astral-sh/uv#19866))
- Reject invalid UTF-8 URL credentials ([#&#8203;19814](astral-sh/uv#19814))
- Validate that PEP 517 `backend-path`s exist when building sdists ([#&#8203;19834](astral-sh/uv#19834))
- Validate that `pylock.toml` files do not have an unsupported a `lock-version` ([#&#8203;19869](astral-sh/uv#19869))
- Validate that the environment satisfies the `packages.requires-python` of a `pylock.toml` ([#&#8203;19868](astral-sh/uv#19868))
- Allow `uv` to be recursively invoked by PEP 517 build hooks ([#&#8203;19879](astral-sh/uv#19879))
- Allow empty `credentials.toml` files ([#&#8203;19815](astral-sh/uv#19815))
- Fix transparent Python upgrades in project environments ([#&#8203;19890](astral-sh/uv#19890))
- Handle non-file editable URLs in `uv pip list` ([#&#8203;19867](astral-sh/uv#19867))
- Fix incorrect output from `uv tree --invert` ([#&#8203;19910](astral-sh/uv#19910))
- Fix environment locking of `uv venv` in a project ([#&#8203;19837](astral-sh/uv#19837))
- Fix handling of workspace-exclusive dependency groups in `uv tree` ([#&#8203;19905](astral-sh/uv#19905))

##### Documentation

- Archive the 0.10.x changelog ([#&#8203;19813](astral-sh/uv#19813))

##### Other changes

- Mark more tests as requiring network for vendors that need to run tests offline ([#&#8203;19819](astral-sh/uv#19819))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjIzMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6cGF0Y2giXX0=-->
zsol added a commit that referenced this pull request Jul 9, 2026
…#20078)

`Lock::dependency_selection` selects the exact locked package for a
direct project dependency, but the result currently discards
information, like selected extras or dependency-group conflict context
(used to select conflict forks). This isn't critical for our current use
cases (ruff and ty), but it's worth fixing to avoid future confusion.

For a relatively contrived example, a workspace may use a local build of
`ty` that depends on `a`, with two mutually exclusive groups pinning
`a==1` and `a==2`. With `uv check --no-sync`, uv selects the correct
locked `ty` for the enabled group, but previously discarded that group
context when building the cached environment. The marker on `ty`’s
dependency still referred to the project conflict outside the synthetic
tool subgraph, so materialization failed instead of selecting the
corresponding `a` fork.

This PR returns a `SelectedDependency` containing the exact package, the
union of extras from applicable direct edges, and the production or
dependency-group context. `Lock::to_resolution_from_dependency` passes
that information into the existing locked-subgraph traversal, activating
selected extras and resolving project conflict items even though the
project itself is outside the cached subgraph.

This is a follow-up to #19982 and #19989.
hbjydev pushed a commit to hbjydev/phoebe that referenced this pull request Jul 10, 2026
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [uv](https://github.com/astral-sh/uv) | patch | `0.11.24` → `0.11.28` |

---

### Release Notes

<details>
<summary>astral-sh/uv (uv)</summary>

### [`v0.11.28`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01128)

[Compare Source](astral-sh/uv@0.11.27...0.11.28)

Released on 2026-07-07.

##### Security

This release updates our ZIP library, [astral-async-zip](https://github.com/astral-sh/rs-async-zip), to v0.0.20, which includes 15 changes that harden our ZIP handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject ZIP archives with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/rs-async-zip@v0.0.18...v0.0.20) for a full list of changes.

##### Python

- Upgrade GraalPy to 25.1.3 ([#&#8203;20069](astral-sh/uv#20069))

##### Enhancements

- Improve trace logs for unexpected error chains ([#&#8203;20220](astral-sh/uv#20220))
- Move lockfile update guidance to a hint ([#&#8203;20219](astral-sh/uv#20219))
- Preserve indentation for multiline error causes ([#&#8203;20156](astral-sh/uv#20156))
- Render user errors with their cause chains ([#&#8203;20217](astral-sh/uv#20217))
- Route final command errors through the printer to respect `-q` and `-qq` ([#&#8203;20163](astral-sh/uv#20163))
- Use standard rendering for `uv build` errors ([#&#8203;20159](astral-sh/uv#20159))
- Use standard rendering for tool requirement errors ([#&#8203;20160](astral-sh/uv#20160))

##### Performance

- Only compile bytecode for installed distributions in `uv pip install` ([#&#8203;19914](astral-sh/uv#19914))
- Avoid allocating URL-safe Git revisions ([#&#8203;20194](astral-sh/uv#20194))
- Avoid allocating canonical Python request strings ([#&#8203;20193](astral-sh/uv#20193))
- Avoid allocating custom Astral mirror URLs ([#&#8203;20204](astral-sh/uv#20204))
- Avoid allocating expanded compatibility tags ([#&#8203;20190](astral-sh/uv#20190))
- Avoid allocating shell strings that need no escaping ([#&#8203;20196](astral-sh/uv#20196))
- Avoid allocating static ABI descriptions ([#&#8203;20201](astral-sh/uv#20201))
- Avoid allocating static Windows executable names ([#&#8203;20200](astral-sh/uv#20200))
- Avoid allocating static dependency table names ([#&#8203;20199](astral-sh/uv#20199))
- Avoid allocating static platform triple components ([#&#8203;20195](astral-sh/uv#20195))
- Avoid allocating static resolver report labels ([#&#8203;20198](astral-sh/uv#20198))
- Avoid allocating static unavailable-version messages ([#&#8203;20197](astral-sh/uv#20197))
- Avoid allocating unchanged Python download architectures ([#&#8203;20202](astral-sh/uv#20202))
- Avoid allocating unchanged paths during case normalization ([#&#8203;20203](astral-sh/uv#20203))
- Avoid allocations when expanding group conflicts ([#&#8203;20211](astral-sh/uv#20211))
- Avoid allocations when formatting requirements ([#&#8203;20206](astral-sh/uv#20206))
- Avoid cloning credential lookup services ([#&#8203;20210](astral-sh/uv#20210))
- Avoid cloning dry-run distributions ([#&#8203;20209](astral-sh/uv#20209))
- Avoid cloning owned dependency metadata ([#&#8203;20212](astral-sh/uv#20212))
- Avoid redundant direct URL clones ([#&#8203;20207](astral-sh/uv#20207))
- Create metadata version errors lazily ([#&#8203;20205](astral-sh/uv#20205))
- Optimize expanded tag compatibility checks ([#&#8203;20171](astral-sh/uv#20171))
- Optimize parsing of single-digit three-part versions ([#&#8203;20118](astral-sh/uv#20118))

##### Bug fixes

- Avoid overflow when computing HTTP cache age ([#&#8203;20178](astral-sh/uv#20178))
- Respect `--upgrade` when `upgrade-package` is configured ([#&#8203;19955](astral-sh/uv#19955))
- Support `uv tree` in dependency-group-only projects ([#&#8203;20167](astral-sh/uv#20167))
- Treat cache entries as stale at exact expiration ([#&#8203;20183](astral-sh/uv#20183))

### [`v0.11.27`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01127)

[Compare Source](astral-sh/uv@0.11.26...0.11.27)

Released on 2026-07-06.

##### Enhancements

- Continue on ignored errors when fetching wheel metadata ([#&#8203;12255](astral-sh/uv#12255))
- Use caching for `--python-downloads-json-url` ([#&#8203;16749](astral-sh/uv#16749))

##### Preview features

- Discover extensionless shebang scripts in `uv workspace list --scripts` ([#&#8203;20099](astral-sh/uv#20099))

##### Performance

- Avoid full site-packages scans for direct reinstalls ([#&#8203;20119](astral-sh/uv#20119))
- Avoid redundant pyproject parsing ([#&#8203;20076](astral-sh/uv#20076))
- Cache default dependency markers when reading locks ([#&#8203;20125](astral-sh/uv#20125))
- Enable SIMD-accelerated TOML parsing ([#&#8203;20079](astral-sh/uv#20079))
- Intern `requires-python` specifiers in Simple API parsing ([#&#8203;20104](astral-sh/uv#20104))
- Read cache entries into exact-sized buffers ([#&#8203;20120](astral-sh/uv#20120))
- Reduce VersionSpecifiers parsing allocations ([#&#8203;20105](astral-sh/uv#20105))
- Reduce site-packages scan allocation overhead ([#&#8203;20087](astral-sh/uv#20087))
- Reuse package names when parsing wheel filenames ([#&#8203;20110](astral-sh/uv#20110))
- Sort Simple API files after grouping ([#&#8203;20112](astral-sh/uv#20112))

##### Bug fixes

- Always emit `packages` table for pylock.toml ([#&#8203;20145](astral-sh/uv#20145))
- Avoid blank line for empty `uv pip tree` ([#&#8203;20062](astral-sh/uv#20062))
- Encode hashes in file paths ([#&#8203;19807](astral-sh/uv#19807))
- Error on a registry uv.lock package without a version instead of panicking ([#&#8203;19855](astral-sh/uv#19855))
- Preserve conditional extra markers in exports ([#&#8203;20148](astral-sh/uv#20148))
- Skip the ambiguous authority check for file transport VCS URLs ([#&#8203;20086](astral-sh/uv#20086))
- Sync index format when `uv add --index` updates an existing index URL ([#&#8203;19818](astral-sh/uv#19818))

##### Other changes

- Re-add `pub` APIs used in Pixi ([#&#8203;20074](astral-sh/uv#20074))
- Update Rust toolchain to 1.96.1 ([#&#8203;20103](astral-sh/uv#20103))

### [`v0.11.26`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01126)

[Compare Source](astral-sh/uv@0.11.25...0.11.26)

Released on 2026-06-30.

##### Performance

- Adapt uv to IDs-only PubGrub dependencies ([#&#8203;20048](astral-sh/uv#20048))
- Avoid allocations in `ForkMap::contains` ([#&#8203;20023](astral-sh/uv#20023))
- Reuse resolver work across PubGrub iterations ([#&#8203;20020](astral-sh/uv#20020))
- Speed up candidate selection for disjoint ranges ([#&#8203;20026](astral-sh/uv#20026))

##### Bug fixes

- Warn when the build cache is inside the source directory ([#&#8203;20056](astral-sh/uv#20056))

### [`v0.11.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01125)

[Compare Source](astral-sh/uv@0.11.24...0.11.25)

Released on 2026-06-26.

##### Security

This release updates our tar library, [astral-tokio-tar](https://github.com/astral-sh/tokio-tar), to v0.6.3, which includes over 20 changes that harden our tar handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/tokio-tar@v0.6.2...v0.6.3) for a full list of changes.

##### Enhancements

- Add a full "lockfile" to tool receipts ([#&#8203;18937](astral-sh/uv#18937))
- Allow scoped overrides to add dependencies ([#&#8203;19974](astral-sh/uv#19974))
- Avoid writing redundant lockfile markers with `tool.uv.environments` ([#&#8203;19933](astral-sh/uv#19933))
- Factor supported environments out of lockfile markers ([#&#8203;19969](astral-sh/uv#19969))
- Recommend our own build backend in the build frontend ([#&#8203;19994](astral-sh/uv#19994))
- Reject wheels with multiple .dist-info directories ([#&#8203;19986](astral-sh/uv#19986))
- Simplify dependency markers under parent reachability ([#&#8203;19971](astral-sh/uv#19971))
- Support scoped dependency exclusions ([#&#8203;19977](astral-sh/uv#19977))
- Support scoped dependency overrides ([#&#8203;19970](astral-sh/uv#19970))
- Explain why files are skipped in registry index parsing ([#&#8203;19983](astral-sh/uv#19983))

##### Preview features

- Add `uv workspace list --scripts` ([#&#8203;20009](astral-sh/uv#20009))
- Support centralised environments in `uv venv` ([#&#8203;19912](astral-sh/uv#19912))
- Use locked ty versions in `uv check` ([#&#8203;19884](astral-sh/uv#19884))
- Add centralized storage of project environments ([#&#8203;18214](astral-sh/uv#18214))
- Verify lockfile hashes before reusing a cached ty in `uv check` ([#&#8203;19995](astral-sh/uv#19995))
- Use locked dependency selection for `uv check --script` ([#&#8203;19989](astral-sh/uv#19989))

##### Bug fixes

- Preserve standalone markers in workspace metadata ([#&#8203;20011](astral-sh/uv#20011))
- Reject `uv build` if the cache dir is enclosed ([#&#8203;19991](astral-sh/uv#19991))

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItcmVsZWFzZSIsInR5cGUvcGF0Y2giXX0=-->

Reviewed-on: https://forgejo.hayden.moe/hayden/phoebe/pulls/203
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants