mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-10-17 13:58:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Bump version to 0.8.7 (#15173)

Browse source
This commit is contained in:
Zanie Blue 2025-08-08 14:42:23 -05:00 committed by GitHub
parent d1beb7f640
commit 8a22572338
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 70 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

39
CHANGELOG.md
View file

@ -2,6 +2,43 @@
<!-- prettier-ignore-start --> <!-- prettier-ignore-start -->
## 0.8.7
### Python
- On Mac/Linux, libtcl, libtk, and _tkinter are built as separate shared objects, which fixes matplotlib's `tkagg` backend (the default on Linux), Pillow's `PIL.ImageTk` library, and other extension modules that need to use libtcl/libtk directly.
- Tix is no longer provided on Linux. This is a deprecated Tk extension that appears to have been previously broken.
See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250808) for details.
### Enhancements
- Do not update `uv.lock` when using `--isolated` ([#15154](https://github.com/astral-sh/uv/pull/15154))
- Add support for `--prefix` and `--with` installations in `find_uv_bin` ([#14184](https://github.com/astral-sh/uv/pull/14184))
- Add support for discovering base prefix installations in `find_uv_bin` ([#14181](https://github.com/astral-sh/uv/pull/14181))
- Improve error messages in `find_uv_bin` ([#14182](https://github.com/astral-sh/uv/pull/14182))
- Warn when two packages write to the same module ([#13437](https://github.com/astral-sh/uv/pull/13437))
### Preview features
- Add support for `package`-level conflicts in workspaces ([#14906](https://github.com/astral-sh/uv/pull/14906))
### Configuration
- Add `UV_DEV` and `UV_NO_DEV` environment variables (for `--dev` and `--no-dev`) ([#15010](https://github.com/astral-sh/uv/pull/15010))
### Bug fixes
- Fix regression where `--require-hashes` applied to build dependencies in `uv pip install` ([#15153](https://github.com/astral-sh/uv/pull/15153))
- Ignore GraalPy devtags ([#15013](https://github.com/astral-sh/uv/pull/15013))
- Include all site packages directories in ephemeral environment overlays ([#15121](https://github.com/astral-sh/uv/pull/15121))
- Search in the user scheme scripts directory last in `find_uv_bin` ([#14191](https://github.com/astral-sh/uv/pull/14191))
### Documentation
- Add missing periods (`.`) to list elements in `Features` docs page ([#15138](https://github.com/astral-sh/uv/pull/15138))
## 0.8.6 ## 0.8.6
This release contains hardening measures to address differentials in behavior between uv and Python's built-in ZIP parser ([CVE-2025-54368](https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8)). This release contains hardening measures to address differentials in behavior between uv and Python's built-in ZIP parser ([CVE-2025-54368](https://github.com/astral-sh/uv/security/advisories/GHSA-8qf3-x8v5-2pj8)).
@ -10,7 +47,7 @@ Prior to this release, attackers could construct ZIP files that would be extract
Thanks to a triage effort with the [Python Security Response Team](https://devguide.python.org/developer-workflow/psrt/) and PyPI maintainers, we were able to determine that these differentials **were not exploited** via PyPI during the time they were present. The PyPI team has also implemented similar checks and now guards against these parsing differentials on upload. Thanks to a triage effort with the [Python Security Response Team](https://devguide.python.org/developer-workflow/psrt/) and PyPI maintainers, we were able to determine that these differentials **were not exploited** via PyPI during the time they were present. The PyPI team has also implemented similar checks and now guards against these parsing differentials on upload.
Although the practical risk of exploitation is low, we take the _hypothetical_ risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this advisory a CVE identifier and have given it a "moderate" severity suggestion. Although the practical risk of exploitation is low, we take the *hypothetical* risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this advisory a CVE identifier and have given it a "moderate" severity suggestion.
These changes have been validated against the top 15,000 PyPI packages; however, it's plausible that a non-malicious ZIP could be falsely rejected with this additional hardening. As an escape hatch, users who do encounter breaking changes can enable `UV_INSECURE_NO_ZIP_VALIDATION` to restore the previous behavior. If you encounter such a rejection, please file an issue in uv and to the upstream package. These changes have been validated against the top 15,000 PyPI packages; however, it's plausible that a non-malicious ZIP could be falsely rejected with this additional hardening. As an escape hatch, users who do encounter breaking changes can enable `UV_INSECURE_NO_ZIP_VALIDATION` to restore the previous behavior. If you encounter such a rejection, please file an issue in uv and to the upstream package.

6
Cargo.lock generated
View file

@ -4655,7 +4655,7 @@ dependencies = [
[[package]] [[package]]
name = "uv" name = "uv"
version = "0.8.6" version = "0.8.7"
dependencies = [ dependencies = [
"anstream", "anstream",
"anyhow", "anyhow",
@ -4824,7 +4824,7 @@ dependencies = [
[[package]] [[package]]
name = "uv-build" name = "uv-build"
version = "0.8.6" version = "0.8.7"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"uv-build-backend", "uv-build-backend",
@ -6046,7 +6046,7 @@ dependencies = [
[[package]] [[package]]
name = "uv-version" name = "uv-version"
version = "0.8.6" version = "0.8.7"
[[package]] [[package]]
name = "uv-virtualenv" name = "uv-virtualenv"

2
crates/uv-build/Cargo.toml
View file

@ -1,6 +1,6 @@
[package] [package]
name = "uv-build" name = "uv-build"
version = "0.8.6" version = "0.8.7"
edition = { workspace = true } edition = { workspace = true }
rust-version = { workspace = true } rust-version = { workspace = true }
homepage = { workspace = true } homepage = { workspace = true }

2
crates/uv-build/pyproject.toml
View file

@ -1,6 +1,6 @@
[project] [project]
name = "uv-build" name = "uv-build"
version = "0.8.6" version = "0.8.7"
description = "The uv build backend" description = "The uv build backend"
authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }] authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }]
requires-python = ">=3.8" requires-python = ">=3.8"

2
crates/uv-version/Cargo.toml
View file

@ -1,6 +1,6 @@
[package] [package]
name = "uv-version" name = "uv-version"
version = "0.8.6" version = "0.8.7"
edition = { workspace = true } edition = { workspace = true }
rust-version = { workspace = true } rust-version = { workspace = true }
homepage = { workspace = true } homepage = { workspace = true }

2
crates/uv/Cargo.toml
View file

@ -1,6 +1,6 @@
[package] [package]
name = "uv" name = "uv"
version = "0.8.6" version = "0.8.7"
edition = { workspace = true } edition = { workspace = true }
rust-version = { workspace = true } rust-version = { workspace = true }
homepage = { workspace = true } homepage = { workspace = true }

2
docs/concepts/build-backend.md
View file

@ -31,7 +31,7 @@ To use uv as a build backend in an existing project, add `uv_build` to the
```toml title="pyproject.toml" ```toml title="pyproject.toml"
[build-system] [build-system]
requires = ["uv_build>=0.8.6,<0.9.0"] requires = ["uv_build>=0.8.7,<0.9.0"]
build-backend = "uv_build" build-backend = "uv_build"
``` ```

6
docs/concepts/projects/init.md
View file

@ -111,7 +111,7 @@ dependencies = []
example-pkg = "example_pkg:main" example-pkg = "example_pkg:main"
[build-system] [build-system]
requires = ["uv_build>=0.8.6,<0.9.0"] requires = ["uv_build>=0.8.7,<0.9.0"]
build-backend = "uv_build" build-backend = "uv_build"
``` ```
@ -134,7 +134,7 @@ dependencies = []
example-pkg = "example_pkg:main" example-pkg = "example_pkg:main"
[build-system] [build-system]
requires = ["uv_build>=0.8.6,<0.9.0"] requires = ["uv_build>=0.8.7,<0.9.0"]
build-backend = "uv_build" build-backend = "uv_build"
``` ```
@ -195,7 +195,7 @@ requires-python = ">=3.11"
dependencies = [] dependencies = []
[build-system] [build-system]
requires = ["uv_build>=0.8.6,<0.9.0"] requires = ["uv_build>=0.8.7,<0.9.0"]
build-backend = "uv_build" build-backend = "uv_build"
``` ```

6
docs/concepts/projects/workspaces.md
View file

@ -75,7 +75,7 @@ bird-feeder = { workspace = true }
members = ["packages/*"] members = ["packages/*"]
[build-system] [build-system]
requires = ["uv_build>=0.8.6,<0.9.0"] requires = ["uv_build>=0.8.7,<0.9.0"]
build-backend = "uv_build" build-backend = "uv_build"
``` ```
@ -106,7 +106,7 @@ tqdm = { git = "https://github.com/tqdm/tqdm" }
members = ["packages/*"] members = ["packages/*"]
[build-system] [build-system]
requires = ["uv_build>=0.8.6,<0.9.0"] requires = ["uv_build>=0.8.7,<0.9.0"]
build-backend = "uv_build" build-backend = "uv_build"
``` ```
@ -188,7 +188,7 @@ dependencies = ["bird-feeder", "tqdm>=4,<5"]
bird-feeder = { path = "packages/bird-feeder" } bird-feeder = { path = "packages/bird-feeder" }
[build-system] [build-system]
requires = ["uv_build>=0.8.6,<0.9.0"] requires = ["uv_build>=0.8.7,<0.9.0"]
build-backend = "uv_build" build-backend = "uv_build"
``` ```

4
docs/getting-started/installation.md
View file

@ -25,7 +25,7 @@ uv provides a standalone installer to download and install uv:
Request a specific version by including it in the URL: Request a specific version by including it in the URL:
```console ```console
$ curl -LsSf https://astral.sh/uv/0.8.6/install.sh | sh $ curl -LsSf https://astral.sh/uv/0.8.7/install.sh | sh
``` ```
=== "Windows" === "Windows"
@ -41,7 +41,7 @@ uv provides a standalone installer to download and install uv:
Request a specific version by including it in the URL: Request a specific version by including it in the URL:
```pwsh-session ```pwsh-session
PS> powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/0.8.6/install.ps1 | iex" PS> powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/0.8.7/install.ps1 | iex"
``` ```
!!! tip !!! tip

4
docs/guides/integration/aws-lambda.md
View file

@ -92,7 +92,7 @@ the second stage, we'll copy this directory over to the final image, omitting th
other unnecessary files. other unnecessary files.
```dockerfile title="Dockerfile" ```dockerfile title="Dockerfile"
FROM ghcr.io/astral-sh/uv:0.8.6 AS uv FROM ghcr.io/astral-sh/uv:0.8.7 AS uv
# First, bundle the dependencies into the task root. # First, bundle the dependencies into the task root.
FROM public.ecr.aws/lambda/python:3.13 AS builder FROM public.ecr.aws/lambda/python:3.13 AS builder
@ -334,7 +334,7 @@ And confirm that opening http://127.0.0.1:8000/ in a web browser displays, "Hell
Finally, we'll update the Dockerfile to include the local library in the deployment package: Finally, we'll update the Dockerfile to include the local library in the deployment package:
```dockerfile title="Dockerfile" ```dockerfile title="Dockerfile"
FROM ghcr.io/astral-sh/uv:0.8.6 AS uv FROM ghcr.io/astral-sh/uv:0.8.7 AS uv
# First, bundle the dependencies into the task root. # First, bundle the dependencies into the task root.
FROM public.ecr.aws/lambda/python:3.13 AS builder FROM public.ecr.aws/lambda/python:3.13 AS builder

10
docs/guides/integration/docker.md
View file

@ -31,7 +31,7 @@ $ docker run --rm -it ghcr.io/astral-sh/uv:debian uv --help
The following distroless images are available: The following distroless images are available:
- `ghcr.io/astral-sh/uv:latest` - `ghcr.io/astral-sh/uv:latest`
- `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}`, e.g., `ghcr.io/astral-sh/uv:0.8.6` - `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}`, e.g., `ghcr.io/astral-sh/uv:0.8.7`
- `ghcr.io/astral-sh/uv:{major}.{minor}`, e.g., `ghcr.io/astral-sh/uv:0.8` (the latest patch - `ghcr.io/astral-sh/uv:{major}.{minor}`, e.g., `ghcr.io/astral-sh/uv:0.8` (the latest patch
version) version)
@ -75,7 +75,7 @@ And the following derived images are available:
As with the distroless image, each derived image is published with uv version tags as As with the distroless image, each derived image is published with uv version tags as
`ghcr.io/astral-sh/uv:{major}.{minor}.{patch}-{base}` and `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}-{base}` and
`ghcr.io/astral-sh/uv:{major}.{minor}-{base}`, e.g., `ghcr.io/astral-sh/uv:0.8.6-alpine`. `ghcr.io/astral-sh/uv:{major}.{minor}-{base}`, e.g., `ghcr.io/astral-sh/uv:0.8.7-alpine`.
In addition, starting with `0.8` each derived image also sets `UV_TOOL_BIN_DIR` to `/usr/local/bin` In addition, starting with `0.8` each derived image also sets `UV_TOOL_BIN_DIR` to `/usr/local/bin`
to allow `uv tool install` to work as expected with the default user. to allow `uv tool install` to work as expected with the default user.
@ -116,7 +116,7 @@ Note this requires `curl` to be available.
In either case, it is best practice to pin to a specific uv version, e.g., with: In either case, it is best practice to pin to a specific uv version, e.g., with:
```dockerfile ```dockerfile
COPY --from=ghcr.io/astral-sh/uv:0.8.6 /uv /uvx /bin/ COPY --from=ghcr.io/astral-sh/uv:0.8.7 /uv /uvx /bin/
``` ```
!!! tip !!! tip
@ -134,7 +134,7 @@ COPY --from=ghcr.io/astral-sh/uv:0.8.6 /uv /uvx /bin/
Or, with the installer: Or, with the installer:
```dockerfile ```dockerfile
ADD https://astral.sh/uv/0.8.6/install.sh /uv-installer.sh ADD https://astral.sh/uv/0.8.7/install.sh /uv-installer.sh
``` ```
### Installing a project ### Installing a project
@ -560,5 +560,5 @@ Verified OK
!!! tip !!! tip
These examples use `latest`, but best practice is to verify the attestation for a specific These examples use `latest`, but best practice is to verify the attestation for a specific
version tag, e.g., `ghcr.io/astral-sh/uv:0.8.6`, or (even better) the specific image digest, version tag, e.g., `ghcr.io/astral-sh/uv:0.8.7`, or (even better) the specific image digest,
such as `ghcr.io/astral-sh/uv:0.5.27@sha256:5adf09a5a526f380237408032a9308000d14d5947eafa687ad6c6a2476787b4f`. such as `ghcr.io/astral-sh/uv:0.5.27@sha256:5adf09a5a526f380237408032a9308000d14d5947eafa687ad6c6a2476787b4f`.

2
docs/guides/integration/github.md
View file

@ -47,7 +47,7 @@ jobs:
uses: astral-sh/setup-uv@v6 uses: astral-sh/setup-uv@v6
with: with:
# Install a specific version of uv. # Install a specific version of uv.
version: "0.8.6" version: "0.8.7"
``` ```
## Setting up Python ## Setting up Python

10
docs/guides/integration/pre-commit.md
View file

@ -19,7 +19,7 @@ To make sure your `uv.lock` file is up to date even if your `pyproject.toml` fil
repos: repos:
- repo: https://github.com/astral-sh/uv-pre-commit - repo: https://github.com/astral-sh/uv-pre-commit
# uv version. # uv version.
rev: 0.8.6 rev: 0.8.7
hooks: hooks:
- id: uv-lock - id: uv-lock
``` ```
@ -30,7 +30,7 @@ To keep a `requirements.txt` file in sync with your `uv.lock` file:
repos: repos:
- repo: https://github.com/astral-sh/uv-pre-commit - repo: https://github.com/astral-sh/uv-pre-commit
# uv version. # uv version.
rev: 0.8.6 rev: 0.8.7
hooks: hooks:
- id: uv-export - id: uv-export
``` ```
@ -41,7 +41,7 @@ To compile requirements files:
repos: repos:
- repo: https://github.com/astral-sh/uv-pre-commit - repo: https://github.com/astral-sh/uv-pre-commit
# uv version. # uv version.
rev: 0.8.6 rev: 0.8.7
hooks: hooks:
# Compile requirements # Compile requirements
- id: pip-compile - id: pip-compile
@ -54,7 +54,7 @@ To compile alternative requirements files, modify `args` and `files`:
repos: repos:
- repo: https://github.com/astral-sh/uv-pre-commit - repo: https://github.com/astral-sh/uv-pre-commit
# uv version. # uv version.
rev: 0.8.6 rev: 0.8.7
hooks: hooks:
# Compile requirements # Compile requirements
- id: pip-compile - id: pip-compile
@ -68,7 +68,7 @@ To run the hook over multiple files at the same time, add additional entries:
repos: repos:
- repo: https://github.com/astral-sh/uv-pre-commit - repo: https://github.com/astral-sh/uv-pre-commit
# uv version. # uv version.
rev: 0.8.6 rev: 0.8.7
hooks: hooks:
# Compile requirements # Compile requirements
- id: pip-compile - id: pip-compile

2
pyproject.toml
View file

@ -4,7 +4,7 @@ build-backend = "maturin"
[project] [project]
name = "uv" name = "uv"
version = "0.8.6" version = "0.8.7"
description = "An extremely fast Python package and project manager, written in Rust." description = "An extremely fast Python package and project manager, written in Rust."
authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }] authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }]
requires-python = ">=3.8" requires-python = ">=3.8"

4
python/uv/_find_uv.py
View file

@ -46,9 +46,9 @@ def find_uv_bin() -> str:
if os.path.isfile(path): if os.path.isfile(path):
return path return path
locations = "\n".join(f" - {target}" for target in seen)
raise UvNotFound( raise UvNotFound(
f"Could not find the uv binary in any of the following locations:\n" f"Could not find the uv binary in any of the following locations:\n{locations}\n"
f"{'\n'.join(f' - {target}' for target in seen)}\n"
) )