diff --git a/CHANGELOG.md b/CHANGELOG.md index f1e59ee58..fc6dc4fa2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,43 @@ + +## 0.8.7 + +### Python + +- On Mac/Linux, libtcl, libtk, and _tkinter are built as separate shared objects, which fixes matplotlib's `tkagg` backend (the default on Linux), Pillow's `PIL.ImageTk` library, and other extension modules that need to use libtcl/libtk directly. +- Tix is no longer provided on Linux. This is a deprecated Tk extension that appears to have been previously broken. + +See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250808) for details. + +### Enhancements + +- Do not update `uv.lock` when using `--isolated` ([#15154](https://github.com/astral-sh/uv/pull/15154)) +- Add support for `--prefix` and `--with` installations in `find_uv_bin` ([#14184](https://github.com/astral-sh/uv/pull/14184)) +- Add support for discovering base prefix installations in `find_uv_bin` ([#14181](https://github.com/astral-sh/uv/pull/14181)) +- Improve error messages in `find_uv_bin` ([#14182](https://github.com/astral-sh/uv/pull/14182)) +- Warn when two packages write to the same module ([#13437](https://github.com/astral-sh/uv/pull/13437)) + +### Preview features + +- Add support for `package`-level conflicts in workspaces ([#14906](https://github.com/astral-sh/uv/pull/14906)) + +### Configuration + +- Add `UV_DEV` and `UV_NO_DEV` environment variables (for `--dev` and `--no-dev`) ([#15010](https://github.com/astral-sh/uv/pull/15010)) + +### Bug fixes + +- Fix regression where `--require-hashes` applied to build dependencies in `uv pip install` ([#15153](https://github.com/astral-sh/uv/pull/15153)) +- Ignore GraalPy devtags ([#15013](https://github.com/astral-sh/uv/pull/15013)) +- Include all site packages directories in ephemeral environment overlays ([#15121](https://github.com/astral-sh/uv/pull/15121)) +- Search in the user scheme scripts directory last in `find_uv_bin` ([#14191](https://github.com/astral-sh/uv/pull/14191)) + +### Documentation + +- Add missing periods (`.`) to list elements in `Features` docs page ([#15138](https://github.com/astral-sh/uv/pull/15138)) + ## 0.8.6 This release contains hardening measures to address differentials in behavior between uv and Python's built-in ZIP parser ([CVE-2025-54368](https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8)). @@ -10,7 +47,7 @@ Prior to this release, attackers could construct ZIP files that would be extract Thanks to a triage effort with the [Python Security Response Team](https://devguide.python.org/developer-workflow/psrt/) and PyPI maintainers, we were able to determine that these differentials **were not exploited** via PyPI during the time they were present. The PyPI team has also implemented similar checks and now guards against these parsing differentials on upload. -Although the practical risk of exploitation is low, we take the _hypothetical_ risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this advisory a CVE identifier and have given it a "moderate" severity suggestion. +Although the practical risk of exploitation is low, we take the *hypothetical* risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this advisory a CVE identifier and have given it a "moderate" severity suggestion. These changes have been validated against the top 15,000 PyPI packages; however, it's plausible that a non-malicious ZIP could be falsely rejected with this additional hardening. As an escape hatch, users who do encounter breaking changes can enable `UV_INSECURE_NO_ZIP_VALIDATION` to restore the previous behavior. If you encounter such a rejection, please file an issue in uv and to the upstream package. diff --git a/Cargo.lock b/Cargo.lock index dd172cfe9..5d61e2b3d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4655,7 +4655,7 @@ dependencies = [ [[package]] name = "uv" -version = "0.8.6" +version = "0.8.7" dependencies = [ "anstream", "anyhow", @@ -4824,7 +4824,7 @@ dependencies = [ [[package]] name = "uv-build" -version = "0.8.6" +version = "0.8.7" dependencies = [ "anyhow", "uv-build-backend", @@ -6046,7 +6046,7 @@ dependencies = [ [[package]] name = "uv-version" -version = "0.8.6" +version = "0.8.7" [[package]] name = "uv-virtualenv" diff --git a/crates/uv-build/Cargo.toml b/crates/uv-build/Cargo.toml index ddcd54998..f570b9d00 100644 --- a/crates/uv-build/Cargo.toml +++ b/crates/uv-build/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "uv-build" -version = "0.8.6" +version = "0.8.7" edition = { workspace = true } rust-version = { workspace = true } homepage = { workspace = true } diff --git a/crates/uv-build/pyproject.toml b/crates/uv-build/pyproject.toml index adb0f9240..be43a50ef 100644 --- a/crates/uv-build/pyproject.toml +++ b/crates/uv-build/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "uv-build" -version = "0.8.6" +version = "0.8.7" description = "The uv build backend" authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }] requires-python = ">=3.8" diff --git a/crates/uv-version/Cargo.toml b/crates/uv-version/Cargo.toml index e9a541473..6faf58688 100644 --- a/crates/uv-version/Cargo.toml +++ b/crates/uv-version/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "uv-version" -version = "0.8.6" +version = "0.8.7" edition = { workspace = true } rust-version = { workspace = true } homepage = { workspace = true } diff --git a/crates/uv/Cargo.toml b/crates/uv/Cargo.toml index eb0396992..3cd9842cf 100644 --- a/crates/uv/Cargo.toml +++ b/crates/uv/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "uv" -version = "0.8.6" +version = "0.8.7" edition = { workspace = true } rust-version = { workspace = true } homepage = { workspace = true } diff --git a/docs/concepts/build-backend.md b/docs/concepts/build-backend.md index 3a380a089..4b8d3fbf6 100644 --- a/docs/concepts/build-backend.md +++ b/docs/concepts/build-backend.md @@ -31,7 +31,7 @@ To use uv as a build backend in an existing project, add `uv_build` to the ```toml title="pyproject.toml" [build-system] -requires = ["uv_build>=0.8.6,<0.9.0"] +requires = ["uv_build>=0.8.7,<0.9.0"] build-backend = "uv_build" ``` diff --git a/docs/concepts/projects/init.md b/docs/concepts/projects/init.md index 11dc52c49..620847e86 100644 --- a/docs/concepts/projects/init.md +++ b/docs/concepts/projects/init.md @@ -111,7 +111,7 @@ dependencies = [] example-pkg = "example_pkg:main" [build-system] -requires = ["uv_build>=0.8.6,<0.9.0"] +requires = ["uv_build>=0.8.7,<0.9.0"] build-backend = "uv_build" ``` @@ -134,7 +134,7 @@ dependencies = [] example-pkg = "example_pkg:main" [build-system] -requires = ["uv_build>=0.8.6,<0.9.0"] +requires = ["uv_build>=0.8.7,<0.9.0"] build-backend = "uv_build" ``` @@ -195,7 +195,7 @@ requires-python = ">=3.11" dependencies = [] [build-system] -requires = ["uv_build>=0.8.6,<0.9.0"] +requires = ["uv_build>=0.8.7,<0.9.0"] build-backend = "uv_build" ``` diff --git a/docs/concepts/projects/workspaces.md b/docs/concepts/projects/workspaces.md index 895e870d4..28289af2b 100644 --- a/docs/concepts/projects/workspaces.md +++ b/docs/concepts/projects/workspaces.md @@ -75,7 +75,7 @@ bird-feeder = { workspace = true } members = ["packages/*"] [build-system] -requires = ["uv_build>=0.8.6,<0.9.0"] +requires = ["uv_build>=0.8.7,<0.9.0"] build-backend = "uv_build" ``` @@ -106,7 +106,7 @@ tqdm = { git = "https://github.com/tqdm/tqdm" } members = ["packages/*"] [build-system] -requires = ["uv_build>=0.8.6,<0.9.0"] +requires = ["uv_build>=0.8.7,<0.9.0"] build-backend = "uv_build" ``` @@ -188,7 +188,7 @@ dependencies = ["bird-feeder", "tqdm>=4,<5"] bird-feeder = { path = "packages/bird-feeder" } [build-system] -requires = ["uv_build>=0.8.6,<0.9.0"] +requires = ["uv_build>=0.8.7,<0.9.0"] build-backend = "uv_build" ``` diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md index 1ec3f7552..b6a561b93 100644 --- a/docs/getting-started/installation.md +++ b/docs/getting-started/installation.md @@ -25,7 +25,7 @@ uv provides a standalone installer to download and install uv: Request a specific version by including it in the URL: ```console - $ curl -LsSf https://astral.sh/uv/0.8.6/install.sh | sh + $ curl -LsSf https://astral.sh/uv/0.8.7/install.sh | sh ``` === "Windows" @@ -41,7 +41,7 @@ uv provides a standalone installer to download and install uv: Request a specific version by including it in the URL: ```pwsh-session - PS> powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/0.8.6/install.ps1 | iex" + PS> powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/0.8.7/install.ps1 | iex" ``` !!! tip diff --git a/docs/guides/integration/aws-lambda.md b/docs/guides/integration/aws-lambda.md index a703a1d34..a88b96a9e 100644 --- a/docs/guides/integration/aws-lambda.md +++ b/docs/guides/integration/aws-lambda.md @@ -92,7 +92,7 @@ the second stage, we'll copy this directory over to the final image, omitting th other unnecessary files. ```dockerfile title="Dockerfile" -FROM ghcr.io/astral-sh/uv:0.8.6 AS uv +FROM ghcr.io/astral-sh/uv:0.8.7 AS uv # First, bundle the dependencies into the task root. FROM public.ecr.aws/lambda/python:3.13 AS builder @@ -334,7 +334,7 @@ And confirm that opening http://127.0.0.1:8000/ in a web browser displays, "Hell Finally, we'll update the Dockerfile to include the local library in the deployment package: ```dockerfile title="Dockerfile" -FROM ghcr.io/astral-sh/uv:0.8.6 AS uv +FROM ghcr.io/astral-sh/uv:0.8.7 AS uv # First, bundle the dependencies into the task root. FROM public.ecr.aws/lambda/python:3.13 AS builder diff --git a/docs/guides/integration/docker.md b/docs/guides/integration/docker.md index f39e9e890..e1f394de3 100644 --- a/docs/guides/integration/docker.md +++ b/docs/guides/integration/docker.md @@ -31,7 +31,7 @@ $ docker run --rm -it ghcr.io/astral-sh/uv:debian uv --help The following distroless images are available: - `ghcr.io/astral-sh/uv:latest` -- `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}`, e.g., `ghcr.io/astral-sh/uv:0.8.6` +- `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}`, e.g., `ghcr.io/astral-sh/uv:0.8.7` - `ghcr.io/astral-sh/uv:{major}.{minor}`, e.g., `ghcr.io/astral-sh/uv:0.8` (the latest patch version) @@ -75,7 +75,7 @@ And the following derived images are available: As with the distroless image, each derived image is published with uv version tags as `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}-{base}` and -`ghcr.io/astral-sh/uv:{major}.{minor}-{base}`, e.g., `ghcr.io/astral-sh/uv:0.8.6-alpine`. +`ghcr.io/astral-sh/uv:{major}.{minor}-{base}`, e.g., `ghcr.io/astral-sh/uv:0.8.7-alpine`. In addition, starting with `0.8` each derived image also sets `UV_TOOL_BIN_DIR` to `/usr/local/bin` to allow `uv tool install` to work as expected with the default user. @@ -116,7 +116,7 @@ Note this requires `curl` to be available. In either case, it is best practice to pin to a specific uv version, e.g., with: ```dockerfile -COPY --from=ghcr.io/astral-sh/uv:0.8.6 /uv /uvx /bin/ +COPY --from=ghcr.io/astral-sh/uv:0.8.7 /uv /uvx /bin/ ``` !!! tip @@ -134,7 +134,7 @@ COPY --from=ghcr.io/astral-sh/uv:0.8.6 /uv /uvx /bin/ Or, with the installer: ```dockerfile -ADD https://astral.sh/uv/0.8.6/install.sh /uv-installer.sh +ADD https://astral.sh/uv/0.8.7/install.sh /uv-installer.sh ``` ### Installing a project @@ -560,5 +560,5 @@ Verified OK !!! tip These examples use `latest`, but best practice is to verify the attestation for a specific - version tag, e.g., `ghcr.io/astral-sh/uv:0.8.6`, or (even better) the specific image digest, + version tag, e.g., `ghcr.io/astral-sh/uv:0.8.7`, or (even better) the specific image digest, such as `ghcr.io/astral-sh/uv:0.5.27@sha256:5adf09a5a526f380237408032a9308000d14d5947eafa687ad6c6a2476787b4f`. diff --git a/docs/guides/integration/github.md b/docs/guides/integration/github.md index d78be45d4..7a5a4c8a5 100644 --- a/docs/guides/integration/github.md +++ b/docs/guides/integration/github.md @@ -47,7 +47,7 @@ jobs: uses: astral-sh/setup-uv@v6 with: # Install a specific version of uv. - version: "0.8.6" + version: "0.8.7" ``` ## Setting up Python diff --git a/docs/guides/integration/pre-commit.md b/docs/guides/integration/pre-commit.md index 854ace3b2..5c48b8274 100644 --- a/docs/guides/integration/pre-commit.md +++ b/docs/guides/integration/pre-commit.md @@ -19,7 +19,7 @@ To make sure your `uv.lock` file is up to date even if your `pyproject.toml` fil repos: - repo: https://github.com/astral-sh/uv-pre-commit # uv version. - rev: 0.8.6 + rev: 0.8.7 hooks: - id: uv-lock ``` @@ -30,7 +30,7 @@ To keep a `requirements.txt` file in sync with your `uv.lock` file: repos: - repo: https://github.com/astral-sh/uv-pre-commit # uv version. - rev: 0.8.6 + rev: 0.8.7 hooks: - id: uv-export ``` @@ -41,7 +41,7 @@ To compile requirements files: repos: - repo: https://github.com/astral-sh/uv-pre-commit # uv version. - rev: 0.8.6 + rev: 0.8.7 hooks: # Compile requirements - id: pip-compile @@ -54,7 +54,7 @@ To compile alternative requirements files, modify `args` and `files`: repos: - repo: https://github.com/astral-sh/uv-pre-commit # uv version. - rev: 0.8.6 + rev: 0.8.7 hooks: # Compile requirements - id: pip-compile @@ -68,7 +68,7 @@ To run the hook over multiple files at the same time, add additional entries: repos: - repo: https://github.com/astral-sh/uv-pre-commit # uv version. - rev: 0.8.6 + rev: 0.8.7 hooks: # Compile requirements - id: pip-compile diff --git a/pyproject.toml b/pyproject.toml index ff59a2408..067bc304f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "maturin" [project] name = "uv" -version = "0.8.6" +version = "0.8.7" description = "An extremely fast Python package and project manager, written in Rust." authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }] requires-python = ">=3.8" diff --git a/python/uv/_find_uv.py b/python/uv/_find_uv.py index 8ee5b9355..736288a4c 100644 --- a/python/uv/_find_uv.py +++ b/python/uv/_find_uv.py @@ -46,9 +46,9 @@ def find_uv_bin() -> str: if os.path.isfile(path): return path + locations = "\n".join(f" - {target}" for target in seen) raise UvNotFound( - f"Could not find the uv binary in any of the following locations:\n" - f"{'\n'.join(f' - {target}' for target in seen)}\n" + f"Could not find the uv binary in any of the following locations:\n{locations}\n" )