Skip to content

Bump uv from 0.11.24 to 0.11.25#1619

Merged
Donaim merged 1 commit into
masterfrom
dependabot/uv/uv-0.11.25
Jun 29, 2026
Merged

Bump uv from 0.11.24 to 0.11.25#1619
Donaim merged 1 commit into
masterfrom
dependabot/uv/uv-0.11.25

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps uv from 0.11.24 to 0.11.25.

Release notes

Sourced from uv's releases.

0.11.25

Release Notes

Released on 2026-06-26.

Security

This release updates our tar library, astral-tokio-tar, to v0.6.3, which includes over 20 changes that harden our tar handling against parser differentials. uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the upstream commits for a full list of changes.

Enhancements

  • Add a full "lockfile" to tool receipts (#18937)
  • Allow scoped overrides to add dependencies (#19974)
  • Avoid writing redundant lockfile markers with tool.uv.environments (#19933)
  • Factor supported environments out of lockfile markers (#19969)
  • Recommend our own build backend in the build frontend (#19994)
  • Reject wheels with multiple .dist-info directories (#19986)
  • Simplify dependency markers under parent reachability (#19971)
  • Support scoped dependency exclusions (#19977)
  • Support scoped dependency overrides (#19970)
  • Explain why files are skipped in registry index parsing (#19983)

Preview features

  • Add uv workspace list --scripts (#20009)
  • Support centralised environments in uv venv (#19912)
  • Use locked ty versions in uv check (#19884)
  • Add centralized storage of project environments (#18214)
  • Verify lockfile hashes before reusing a cached ty in uv check (#19995)
  • Use locked dependency selection for uv check --script (#19989)

Bug fixes

  • Preserve standalone markers in workspace metadata (#20011)
  • Reject uv build if the cache dir is enclosed (#19991)

Install uv 0.11.25

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.25/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/uv/releases/download/0.11.25/uv-installer.ps1 | iex"
</tr></table> 

... (truncated)

Changelog

Sourced from uv's changelog.

0.11.25

Released on 2026-06-26.

Security

This release updates our tar library, astral-tokio-tar, to v0.6.3, which includes over 20 changes that harden our tar handling against parser differentials. uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the upstream commits for a full list of changes.

Enhancements

  • Add a full "lockfile" to tool receipts (#18937)
  • Allow scoped overrides to add dependencies (#19974)
  • Avoid writing redundant lockfile markers with tool.uv.environments (#19933)
  • Factor supported environments out of lockfile markers (#19969)
  • Recommend our own build backend in the build frontend (#19994)
  • Reject wheels with multiple .dist-info directories (#19986)
  • Simplify dependency markers under parent reachability (#19971)
  • Support scoped dependency exclusions (#19977)
  • Support scoped dependency overrides (#19970)
  • Explain why files are skipped in registry index parsing (#19983)

Preview features

  • Add uv workspace list --scripts (#20009)
  • Support centralised environments in uv venv (#19912)
  • Use locked ty versions in uv check (#19884)
  • Add centralized storage of project environments (#18214)
  • Verify lockfile hashes before reusing a cached ty in uv check (#19995)
  • Use locked dependency selection for uv check --script (#19989)

Bug fixes

  • Preserve standalone markers in workspace metadata (#20011)
  • Reject uv build if the cache dir is enclosed (#19991)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [uv](https://github.com/astral-sh/uv) from 0.11.24 to 0.11.25.
- [Release notes](https://github.com/astral-sh/uv/releases)
- [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md)
- [Commits](astral-sh/uv@0.11.24...0.11.25)

---
updated-dependencies:
- dependency-name: uv
  dependency-version: 0.11.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 29, 2026
@Donaim Donaim merged commit 456649e into master Jun 29, 2026
3 checks passed
@dependabot dependabot Bot deleted the dependabot/uv/uv-0.11.25 branch June 29, 2026 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant