mirror of
https://github.com/astral-sh/uv.git
synced 2025-08-22 11:34:09 +00:00
7f1eaf48c1
## Summary uv will now reject ZIP files that meet any of the following conditions: - Multiple local header entries exist for the same file with different contents. - A local header entry exists for a file that isn't included in the end-of-central directory record. - An entry exists in the end-of-central directory record that does not have a corresponding local header. - The ZIP file contains contents after the first end-of-central directory record. - The CRC32 doesn't match between the local file header and the end-of-central directory record. - The compressed size doesn't match between the local file header and the end-of-central directory record. - The uncompressed size doesn't match between the local file header and the end-of-central directory record. - The reported central directory offset (in the end-of-central-directory header) does not match the actual offset. - The reported ZIP64 end of central directory locator offset does not match the actual offset. We also validate the above for files with data descriptors, which we previously ignored. Wheels from the most recent releases of the top 15,000 packages on PyPI have been confirmed to pass these checks, and PyPI will also reject ZIPs under many of the same conditions (at upload time) in the future. In rare cases, this validation can be disabled by setting `UV_INSECURE_NO_ZIP_VALIDATION=1`. Any validations should be reported to the uv issue tracker and to the upstream package maintainer. |
||
|---|---|---|
| .. | ||
| src | ||
| Cargo.toml | ||