Workflow

Python-uv

Latest version: v0.0.38

Safety actively analyzes 681812 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 26

0.4.30

Enhancements

- Add support for `.env` and custom env files in `uv run` ([8811](https://github.com/astral-sh/uv/pull/8811))
- Add support for `--all-packages` in `uv run`, `uv sync`, and `uv export` ([8742](https://github.com/astral-sh/uv/pull/8742), [#8741](https://github.com/astral-sh/uv/pull/8741), [#8739](https://github.com/astral-sh/uv/pull/8739))
- Allow use of `--frozen` with `--all-packages` in `uv sync` and `uv export` ([8760](https://github.com/astral-sh/uv/pull/8760))
- Show full error chain on tool upgrade failures ([8753](https://github.com/astral-sh/uv/pull/8753))
- Add `--check-url` to `uv publish` to check for existing distributions during upload ([8531](https://github.com/astral-sh/uv/pull/8531))
- Suggest using `--check-url` when `--skip-existing` is used ([8803](https://github.com/astral-sh/uv/pull/8803))

Bug fixes

- Allow incompatible `requires-python` for source distributions with static metadata ([8768](https://github.com/astral-sh/uv/pull/8768))
- Allow managed downloads with `--python-preference system` ([8808](https://github.com/astral-sh/uv/pull/8808))
- Avoid error for `--group` defined in non-root workspace member ([8734](https://github.com/astral-sh/uv/pull/8734))
- Avoid showing dependency group annotations on workspace members in tree ([8730](https://github.com/astral-sh/uv/pull/8730))
- Do not error when the Python bin directory is missing on `uv python uninstall` ([8725](https://github.com/astral-sh/uv/pull/8725))
- Include member groups when locking workspace ([8736](https://github.com/astral-sh/uv/pull/8736))
- Fix bug where `python_version < '0'` could appear in a final resolution ([8759](https://github.com/astral-sh/uv/pull/8759))
- Sanitize filenames during zip extraction ([8732](https://github.com/astral-sh/uv/pull/8732))
- Switch to RFC 9110 compatible format for exclude newer requests ([8752](https://github.com/astral-sh/uv/pull/8752))

Preview features

- Add support for installing versioned Python executables on Windows ([8663](https://github.com/astral-sh/uv/pull/8663))
- Improve interactions with existing Python executables during install ([8733](https://github.com/astral-sh/uv/pull/8733))

Rust API

- Extend `BaseClient` to accept extra middleware ([8807](https://github.com/astral-sh/uv/pull/8807))
- Add `From` for `FlatDistributions` struct ([8800](https://github.com/astral-sh/uv/pull/8800))

Documentation

- Fix environment variable name in providing credentials section ([8740](https://github.com/astral-sh/uv/pull/8740))
- Fix `add httpx` example with real git branch ([8756](https://github.com/astral-sh/uv/pull/8756))
- Fix indentation in `projects.md` ([8772](https://github.com/astral-sh/uv/pull/8772))
- Fix link to publish guide in `README` ([8720](https://github.com/astral-sh/uv/pull/8720))
- Generate environment variables documentation from code ([8493](https://github.com/astral-sh/uv/pull/8493))
- Improve and fix some documents ([8749](https://github.com/astral-sh/uv/pull/8749))
- Improve environment variables document ([8777](https://github.com/astral-sh/uv/pull/8777))

0.4.29

Enhancements

- Sort errors during display in `uv python install` ([8684](https://github.com/astral-sh/uv/pull/8684))
- Update resolver to use disjointness checks instead of marker equality ([8661](https://github.com/astral-sh/uv/pull/8661))
- Add `riscv64` to supported Python platform tags ([8660](https://github.com/astral-sh/uv/pull/8660))

Bug fixes

- Fix hard and soft float libc detection for managed Python distributions on ARM ([8498](https://github.com/astral-sh/uv/pull/8498))
- Handle cycles in `uv pip tree` ([8689](https://github.com/astral-sh/uv/pull/8689))
- Respect dependency group markers in `uv export` ([8659](https://github.com/astral-sh/uv/pull/8659))
- Support transitive dependencies in Git workspaces ([8665](https://github.com/astral-sh/uv/pull/8665))
- Use portable paths for subdirectories in lock URLs ([8707](https://github.com/astral-sh/uv/pull/8707))
- Update `uv init --virtual` to imply `--no-package` ([8595](https://github.com/astral-sh/uv/pull/8595))

Preview

- Install versioned Python executables into the bin directory during `uv python install` (Unix only) ([8458](https://github.com/astral-sh/uv/pull/8458))

Documentation

- Clarify relationship between specifiers and `requires-python` range ([8688](https://github.com/astral-sh/uv/pull/8688))
- Fix broken link in docs ([8552](https://github.com/astral-sh/uv/pull/8552))
- Fix outdated documentation on `Requires-Python` ([8679](https://github.com/astral-sh/uv/pull/8679))
- Add Google Artifact Registry index authentication guide ([8579](https://github.com/astral-sh/uv/pull/8579))

0.4.28

Enhancements

- Add support for requesting free-threaded builds via `+freethreaded` ([8645](https://github.com/astral-sh/uv/pull/8645))
- Improve trusted publishing error messages ([8633](https://github.com/astral-sh/uv/pull/8633))
- Remove unneeded `return` from Maturin project template ([8604](https://github.com/astral-sh/uv/pull/8604))
- Skip Python interpreter discovery for `uv export` ([8638](https://github.com/astral-sh/uv/pull/8638))
- Hint about missing trusted publishing permission ([8632](https://github.com/astral-sh/uv/pull/8632))

Configuration

- Add environment variable to disable progress output ([8600](https://github.com/astral-sh/uv/pull/8600))

Bug fixes

- Fork when minimum Python version increases ([8628](https://github.com/astral-sh/uv/pull/8628))
- Ignore empty groups when validating lock ([8598](https://github.com/astral-sh/uv/pull/8598))
- Remove duplicate word in error message ([8589](https://github.com/astral-sh/uv/pull/8589))
- Support cyclic dependencies in `uv tree` ([8564](https://github.com/astral-sh/uv/pull/8564))
- Update `uv init` to imply `--package` when using `--build-backend` ([8593](https://github.com/astral-sh/uv/pull/8593))
- Restore use of `dev-dependencies` and `requires-dev` for lockfile compatibility ([8599](https://github.com/astral-sh/uv/pull/8599))

Documentation

- Clarify `requires-python` requirement for dependencies ([8619](https://github.com/astral-sh/uv/pull/8619))
- Update CLI documentation for `--cache-dir` ([8627](https://github.com/astral-sh/uv/pull/8627))

0.4.27

This release includes support for the `[dependency-groups]` table as recently standardized in [PEP 735](https://peps.python.org/pep-0735/). The table allows for declaration of optional dependency groups that are not published as part of the package metadata, unlike `[project.optional-dependencies]`. There are new `--group`, `--only-group`, and `--no-group` options throughout the uv interface.

Previously, uv used a single `tool.uv.dev-dependencies` list for declaration of development dependencies. Now, uv supports declaring development dependencies in a standardized format and allows splitting development dependencies into multiple groups.

For compatibility, and to simplify usage for people that do not need multiple groups, uv special-cases the group named `dev`. The `dev` group is equivalent to `tool.uv.dev-dependencies`. The contents of `tool.uv.dev-dependencies` will merged into the `dev` group in uv's resolver. The `--dev`, `--only-dev`, and `--no-dev` flags remain as aliases for the corresponding `--group` options. Support for `tool.uv.dev-dependencies` remains in this release, but will display warnings in a future release.

uv syncs the `dev` group by default — this matches the exististing behavior for `tool.uv.dev-dependencies`. The default groups can be changed with the `tool.uv.default-groups` setting.

Thank you to Stephen Rosen who authored PEP 735.

Enhancements

- Support for PEP 735 ([8272](https://github.com/astral-sh/uv/pull/8272))
- Add support for `--dry-run` mode in `uv lock` ([7783](https://github.com/astral-sh/uv/pull/7783))
- Don't allow non-string email in authors ([8520](https://github.com/astral-sh/uv/pull/8520))
- Enforce lockfile schema versions ([8509](https://github.com/astral-sh/uv/pull/8509))

Bug fixes

- Always attach URL to network errors ([8444](https://github.com/astral-sh/uv/pull/8444))
- Fix dangling non-platform dependencies in `uv tree` ([8532](https://github.com/astral-sh/uv/pull/8532))
- Prefer `lto` over `debug` free-threaded managed Python builds ([8515](https://github.com/astral-sh/uv/pull/8515))

Documentation

- Add `tool.uv.sources` to the "Settings" reference ([8543](https://github.com/astral-sh/uv/pull/8543))
- Add reference to `uv build` and `uv publish` in the landing pages ([8542](https://github.com/astral-sh/uv/pull/8542))
- Avoid duplicate `[tool.uv]` header in TOML examples ([8545](https://github.com/astral-sh/uv/pull/8545))
- Document `.netrc` environment variable and path ([8511](https://github.com/astral-sh/uv/pull/8511))
- Fix `.netrc` typo in authentication docs ([8521](https://github.com/astral-sh/uv/pull/8521))
- Fix heading level of "Script support" on docs landing page ([8544](https://github.com/astral-sh/uv/pull/8544))
- Move the installation configuration docs to a separate page ([8546](https://github.com/astral-sh/uv/pull/8546))
- Update docs for `--publish-url` to avoid duplication. ([8561](https://github.com/astral-sh/uv/pull/8561))
- Fix typo ([8554](https://github.com/astral-sh/uv/pull/8554))
- Fix typo in description of `--strict` flag ([8513](https://github.com/astral-sh/uv/pull/8513))

0.4.26

Enhancements

- Allow static dependency metadata entries for direct URL requirements ([7846](https://github.com/astral-sh/uv/pull/7846))
- Use reinstall report formatting for `uv python install --reinstall` ([8487](https://github.com/astral-sh/uv/pull/8487))
- Add support for system-level `uv.toml` configuration ([7851](https://github.com/astral-sh/uv/pull/7851))

Bug fixes

- Apply `requires-python` narrowing with upper bounds ([8403](https://github.com/astral-sh/uv/pull/8403))
- Avoid rewriting `[[tool.uv.index]]` entries when credentials are provided ([8502](https://github.com/astral-sh/uv/pull/8502))
- Fix `uv add` comment handling for empty arrays ([8504](https://github.com/astral-sh/uv/pull/8504))
- Replace dashes with underscores in index credential variables ([8452](https://github.com/astral-sh/uv/pull/8452))
- Respect `--allow-insecure-host` in `uv publish` ([8440](https://github.com/astral-sh/uv/pull/8440))
- Allow arbitrary `--package` includes in `uv tree` ([8507](https://github.com/astral-sh/uv/pull/8507))
- Remove existing Python install after successful download in `uv python install` ([8485](https://github.com/astral-sh/uv/pull/8485))

Documentation

- Add docs example for URLs with `[tool.uv.dependency-metadata]` ([8484](https://github.com/astral-sh/uv/pull/8484))
- Add help page for build failures ([8286](https://github.com/astral-sh/uv/pull/8286))
- Fix `cache-keys` typo in `tags = true` ([8422](https://github.com/astral-sh/uv/pull/8422))
- Add documentation examples for manual branch, rev, and tag Git dependencies ([8497](https://github.com/astral-sh/uv/pull/8497))

Error messages

- Improve error message for cache info serialization ([8500](https://github.com/astral-sh/uv/pull/8500))
- Suggest `--from` command when executable is available for `uvx` ([8473](https://github.com/astral-sh/uv/pull/8473))
- Support `--with-editable` in `uv tool install` ([8472](https://github.com/astral-sh/uv/pull/8472))

0.4.25

Enhancements

- Add support for `uv pip show --files` ([8369](https://github.com/astral-sh/uv/pull/8369))
- Don't prefetch unreachable packages ([8246](https://github.com/astral-sh/uv/pull/8246))
- Remove `tool.uv.sources` table if it is empty ([8365](https://github.com/astral-sh/uv/pull/8365))
- Modify cache versioning to support backwards compatibility ([8386](https://github.com/astral-sh/uv/pull/8386))

Configuration

- Add support for `UV_FROZEN` and `UV_LOCKED` ([8340](https://github.com/astral-sh/uv/pull/8340))

Bug fixes

- Allow dashes and underscores in custom index names ([8339](https://github.com/astral-sh/uv/pull/8339))
- Avoid panic when Git dependencies are included in fork markers ([8388](https://github.com/astral-sh/uv/pull/8388))
- Check existing source by normalized name before `uv add` and `uv remove` ([8359](https://github.com/astral-sh/uv/pull/8359))
- Fix bug where username from authentication cache could be ignored ([8345](https://github.com/astral-sh/uv/pull/8345))
- Fix to respect comments positioning in pyproject.toml on change ([8384](https://github.com/astral-sh/uv/pull/8384))
- Redact index sources in `uv.lock` ([8333](https://github.com/astral-sh/uv/pull/8333))
- Use correct indentation when project table contains open bracket comment ([8387](https://github.com/astral-sh/uv/pull/8387))
- Only remove a source from `[tool.uv.sources]` if it is no long being referenced ([8366](https://github.com/astral-sh/uv/pull/8366))
- Modify `uv pip list` and `uv tree` to print to stdout regardless of `--quiet` flag ([8392](https://github.com/astral-sh/uv/pull/8392))

Error messages

- Improve help message for missing `self update` invocations ([8337](https://github.com/astral-sh/uv/pull/8337))
- Log `.netrc` parsing errors ([8364](https://github.com/astral-sh/uv/pull/8364))
- Remove trailing newlines in error messages ([8322](https://github.com/astral-sh/uv/pull/8322))
- Use a dedicated message for incompatible Python versions in wheel ABI tags ([8363](https://github.com/astral-sh/uv/pull/8363))
- Remove commands available in the top-level from the suggested subcommand error ([8316](https://github.com/astral-sh/uv/pull/8316))

Release

- Run release builds for `macos-x86_64` on `macos-14` runners ([8327](https://github.com/astral-sh/uv/pull/8327))

Page 1 of 26

Links

Releases

Has known vulnerabilities

Next

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.