Workflow

Uv

Latest version: v0.5.9

Safety actively analyzes 688896 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 22

0.5.9

Enhancements

- Fork version selection based on `requires-python` requirements ([9827](https://github.com/astral-sh/uv/pull/9827))
- Patch `sysconfig` data at install time ([9857](https://github.com/astral-sh/uv/pull/9857))
- Remove `-isysroot` when patching sysconfig ([9860](https://github.com/astral-sh/uv/pull/9860))

Configuration

- Introduce a `--fork-strategy` preference mode ([9868](https://github.com/astral-sh/uv/pull/9868))
- Add support for `UV_OFFLINE` ([9795](https://github.com/astral-sh/uv/pull/9795))

Bug fixes

- Avoid `panic!()` when current directory does not exist ([9876](https://github.com/astral-sh/uv/pull/9876))
- Avoid reusing interpreter metadata when running under Rosetta ([9846](https://github.com/astral-sh/uv/pull/9846))
- Avoid trailing slash when deserializing from lockfile ([9848](https://github.com/astral-sh/uv/pull/9848))
- Fix bug in terms when collapsing unavailable versions in resolver errors ([9877](https://github.com/astral-sh/uv/pull/9877))
- Fix suggestion to use `uv help python` on invalid install requests ([9820](https://github.com/astral-sh/uv/pull/9820))
- Skip root when assessing prefix viability ([9823](https://github.com/astral-sh/uv/pull/9823))
- Avoid spurious 'Upgraded tool environment' in `uv tool upgrade` ([9870](https://github.com/astral-sh/uv/pull/9870))

Rust API

- Upgrade minimum Rust version to 1.83 ([9815](https://github.com/astral-sh/uv/pull/9815))

Documentation

- Document the `--fork-strategy` setting ([9887](https://github.com/astral-sh/uv/pull/9887))

Preview features

- Build backend: Allow underscores in entrypoints ([9825](https://github.com/astral-sh/uv/pull/9825))

0.5.8

**This release does not include the `powerpc64le-unknown-linux-musl` target due to a build issue. See [9793](https://github.com/astral-sh/uv/issues/9793) for details. If this change affects you, please file an issue with your use-case.**

Enhancements

- Omit empty resolution markers in lockfile ([9738](https://github.com/astral-sh/uv/pull/9738))
- Add `--install-dir` to to `uv python install` and `uninstall` commands ([7920](https://github.com/astral-sh/uv/pull/7920))
- Add `--show-urls` and `--only-downloads` to `uv python list` ([8062](https://github.com/astral-sh/uv/pull/8062))
- Add `uv python list --all-arches` ([9782](https://github.com/astral-sh/uv/pull/9782))
- Add `uv run --gui-script` flag for running Python scripts with `pythonw.exe` ([9152](https://github.com/astral-sh/uv/pull/9152))
- Allow `--gui-script` on Unix ([9787](https://github.com/astral-sh/uv/pull/9787))
- Allow download of Python distribution variants optimized for newer x86_64 microarchitectures ([9781](https://github.com/astral-sh/uv/pull/9781))
- Allow execution of `pyw` files on Unix ([9759](https://github.com/astral-sh/uv/pull/9759))
- Allow users to specify URLs in `project.dependencies` and `tool.uv.sources` ([9718](https://github.com/astral-sh/uv/pull/9718))
- Encode mutually-incompatible pairs of markers ([9444](https://github.com/astral-sh/uv/pull/9444))
- Improve the error message when a Python install request is not valid ([9783](https://github.com/astral-sh/uv/pull/9783))
- Preserve directory-level standalone build symlinks ([9723](https://github.com/astral-sh/uv/pull/9723))
- Add support for `uv publish --index <name>` ([9694](https://github.com/astral-sh/uv/pull/9694))
- Reframe `--locked` and `--frozen` as `--check` operations for `uv lock` ([9662](https://github.com/astral-sh/uv/pull/9662))
- Rename Python install scratch directory from `.cache` -> `.temp` ([9756](https://github.com/astral-sh/uv/pull/9756))
- Enable `uv tool uninstall uv` on Windows ([8963](https://github.com/astral-sh/uv/pull/8963))
- Improve self-dependency hint to make shadowing clear ([9716](https://github.com/astral-sh/uv/pull/9716))
- Refactor unavailable metadata to shrink the resolver ([9769](https://github.com/astral-sh/uv/pull/9769))
- Show 'depends on itself' for proxy packages ([9717](https://github.com/astral-sh/uv/pull/9717))
- Show a dedicated error for missing subdirectories ([9761](https://github.com/astral-sh/uv/pull/9761))
- Show a dedicated hint for missing `git+` prefixes ([9789](https://github.com/astral-sh/uv/pull/9789))

Performance

- Eagerly error when parsing `pyproject.toml` requirements ([9704](https://github.com/astral-sh/uv/pull/9704))
- Use copy-on-write when normalizing paths ([9710](https://github.com/astral-sh/uv/pull/9710))

Bug fixes

- Avoid enforcing non-conflicts in `uv export` ([9751](https://github.com/astral-sh/uv/pull/9751))
- Don't drop comments between items in TOML tables ([9784](https://github.com/astral-sh/uv/pull/9784))
- Don't fail with `--no-build` when static metadata is available ([9785](https://github.com/astral-sh/uv/pull/9785))
- Don't filter non-patch registry version ([9736](https://github.com/astral-sh/uv/pull/9736))
- Don't read metadata from stale `.egg-info` files ([9760](https://github.com/astral-sh/uv/pull/9760))
- Enforce correctness of self-dependencies ([9705](https://github.com/astral-sh/uv/pull/9705))
- Fix projects's typo in resolver error messages ([9708](https://github.com/astral-sh/uv/pull/9708))
- Ignore `.` prefixed directories during managed Python installation discovery ([9786](https://github.com/astral-sh/uv/pull/9786))
- Improve handling of invalid virtual environments during interpreter discovery ([8086](https://github.com/astral-sh/uv/pull/8086))
- Normalize relative paths when `--project` is specified ([9709](https://github.com/astral-sh/uv/pull/9709))
- Respect self-constraints on recursive extras ([9714](https://github.com/astral-sh/uv/pull/9714))
- Respect user settings for tracing coloring ([9733](https://github.com/astral-sh/uv/pull/9733))
- Retry on tar extraction errors ([9753](https://github.com/astral-sh/uv/pull/9753))
- Add conflict markers to the lock file ([9370](https://github.com/astral-sh/uv/pull/9370))
- De-duplicate resolution markers ([9780](https://github.com/astral-sh/uv/pull/9780))
- Avoid 403 error hint for PyTorch URLs ([9750](https://github.com/astral-sh/uv/pull/9750))
- Avoid treating non-existent `--find-links` as relative URLs ([9720](https://github.com/astral-sh/uv/pull/9720))
- Omit Windows Store `python3.13.exe` et al ([9679](https://github.com/astral-sh/uv/pull/9679))
- Replace executables with broken symlinks during `uv python install` ([9706](https://github.com/astral-sh/uv/pull/9706))

Documentation

- Fix build failure links ([9740](https://github.com/astral-sh/uv/pull/9740))

0.5.7

Enhancements

- Ignore dynamic version in source dist ([9549](https://github.com/astral-sh/uv/pull/9549))
- Improve build frontend error handling ([9611](https://github.com/astral-sh/uv/pull/9611))
- Un-hide `uv build --no-build-logs` option ([9642](https://github.com/astral-sh/uv/pull/9642))
- Flag version mismatch between sdist and wheel during `uv build` ([9633](https://github.com/astral-sh/uv/pull/9633))
- Improve message when updater receipt is for a different uv executable ([9487](https://github.com/astral-sh/uv/pull/9487))
- Add environment variable to disable writing installer metadata files ([8877](https://github.com/astral-sh/uv/pull/8877))
- Add managed downloads for the latest CPython releases: `3.9.21`, `3.10.16`, `3.11.11`, `3.12.8`, and `3.13.1` ([9696](https://github.com/astral-sh/uv/pull/9696))

Preview features

- Build backend: Add hint on import with preview disabled ([9691](https://github.com/astral-sh/uv/pull/9691))
- Build backend: Add direct builds to the resolver and installer ([9621](https://github.com/astral-sh/uv/pull/9621))
- Build backend: Add integration test for scripts ([9635](https://github.com/astral-sh/uv/pull/9635))
- Build backend: Add template to `uv init` ([9661](https://github.com/astral-sh/uv/pull/9661))
- Build backend: Add `--list` option ([9610](https://github.com/astral-sh/uv/pull/9610))

Bug fixes

- Create missing parent directories for output file of `uv export` / `uv pip compile` ([9648](https://github.com/astral-sh/uv/pull/9648))
- Fix missing display of non-freethreaded Python 3.13 in `python list` ([9669](https://github.com/astral-sh/uv/pull/9669))
- Implement `Ord` and `PartialOrd` without origin for `Requirement` ([9624](https://github.com/astral-sh/uv/pull/9624))
- Include more sources to avoid lowest bound warning ([9644](https://github.com/astral-sh/uv/pull/9644))
- Respect build tag priority in `uv.lock` ([9677](https://github.com/astral-sh/uv/pull/9677))

Documentation

- Add `build-essentials` note to build failures doc ([9641](https://github.com/astral-sh/uv/pull/9641))
- Add entry-point for distroless image in GitLab documentation ([9093](https://github.com/astral-sh/uv/pull/9093))
- Add documentation for `uv python pin` without a `REQUEST` argument ([9631](https://github.com/astral-sh/uv/pull/9631))
- Add a link to `uv python pin` reference docs ([9630](https://github.com/astral-sh/uv/pull/9630))

0.5.6

Enhancements

- Add `--dry-run` to `uv pip uninstall` ([9557](https://github.com/astral-sh/uv/pull/9557))
- Allow `--constraints` and `--overrides` in `uv tool install` ([9547](https://github.com/astral-sh/uv/pull/9547))
- Display removed Python executables on uninstall ([9459](https://github.com/astral-sh/uv/pull/9459))
- Warn when keyring has no password for `uv publish` ([8827](https://github.com/astral-sh/uv/pull/8827))
- Add suggested action when `.python-version` pin is incompatible with the project ([9590](https://github.com/astral-sh/uv/pull/9590))
- Improve error messages for mismatches in `tool.uv.sources` ([9482](https://github.com/astral-sh/uv/pull/9482))
- Use constraints in trace rather than irrelevant `requires-python` ([9529](https://github.com/astral-sh/uv/pull/9529))

Preview features

- Add `uv python install --default` ([8650](https://github.com/astral-sh/uv/pull/8650))
- Fix Python executable installation when multiple patch versions are requested ([9607](https://github.com/astral-sh/uv/pull/9607))
- Build backend: Revamp `include` / `exclude` ([9525](https://github.com/astral-sh/uv/pull/9525))
- Build backend: Add fast path ([9556](https://github.com/astral-sh/uv/pull/9556))
- Build backend: Add functions to collect file list ([9602](https://github.com/astral-sh/uv/pull/9602))
- Build backend: Default excludes ([9552](https://github.com/astral-sh/uv/pull/9552))
- Build backend: Refactoring before list ([9558](https://github.com/astral-sh/uv/pull/9558))
- Build backend: Warn when visiting over 10k files ([9523](https://github.com/astral-sh/uv/pull/9523))

Configuration

- Make `check-url` available in configuration files ([9032](https://github.com/astral-sh/uv/pull/9032))

Performance

- Avoid adding non-extra package with extra dependencies ([9540](https://github.com/astral-sh/uv/pull/9540))
- Avoid cloning `String` in marker evaluation ([9598](https://github.com/astral-sh/uv/pull/9598))

Rust API

- `uv-pep508`: Add more methods for simplifying `extra`-related expressions ([9469](https://github.com/astral-sh/uv/pull/9469))

Bug fixes

- Allow `file:` URLs to include package names ([9493](https://github.com/astral-sh/uv/pull/9493))
- Avoid using IDs across PubGrub states ([9538](https://github.com/astral-sh/uv/pull/9538))
- Consistently enforce requested-vs.-built metadata when retrieving wheels ([9484](https://github.com/astral-sh/uv/pull/9484))
- Do not show empty version specifier in `uv tool list` ([9605](https://github.com/astral-sh/uv/pull/9605))
- Include Git member information when getting metadata from cache ([9388](https://github.com/astral-sh/uv/pull/9388))
- Include base installation directory in uv run PATH ([9585](https://github.com/astral-sh/uv/pull/9585))
- Insert backslash when appending to system drive ([9488](https://github.com/astral-sh/uv/pull/9488))
- Normalize paths when lowering Git dependencies ([9595](https://github.com/astral-sh/uv/pull/9595))
- Omit origin when comparing requirements ([9570](https://github.com/astral-sh/uv/pull/9570))
- Override `manylinux_compatible` with `--python-platform` ([9526](https://github.com/astral-sh/uv/pull/9526))
- Pass extra when evaluating lockfile markers ([9539](https://github.com/astral-sh/uv/pull/9539))
- Propagate markers for recursive extras in resolver ([9509](https://github.com/astral-sh/uv/pull/9509))
- Respect path dependencies within Git dependencies ([9594](https://github.com/astral-sh/uv/pull/9594))
- Support recursive extras with marker in `pip compile -r pyproject.toml` ([9535](https://github.com/astral-sh/uv/pull/9535))
- Don't emit unpinned warning for proxy packages ([9497](https://github.com/astral-sh/uv/pull/9497))
- Fix `--refresh-package` flag mentioned as `--refresh-dependency` ([9486](https://github.com/astral-sh/uv/pull/9486))
- Handle Windows AV/EDR file locks during script installations ([9543](https://github.com/astral-sh/uv/pull/9543))
- Re-enable conflicting extra/group tests and fix regression from 9540 ([9582](https://github.com/astral-sh/uv/pull/9582))

Documentation

- Add missing word to docs for `run.md` ([9527](https://github.com/astral-sh/uv/pull/9527))
- Add policies reference section and license document ([9367](https://github.com/astral-sh/uv/pull/9367))
- Fix typo in entry point docs ([9491](https://github.com/astral-sh/uv/pull/9491))
- Fix up version in prior uninstall instructions ([9485](https://github.com/astral-sh/uv/pull/9485))
- Mention `uv pip` behavior in build system note ([9586](https://github.com/astral-sh/uv/pull/9586))
- Update build failures document ([9584](https://github.com/astral-sh/uv/pull/9584))
- Correct wording for multiple sources section ([9504](https://github.com/astral-sh/uv/pull/9504))

0.5.5

Enhancements

- Add aliases for build backend requests ([9294](https://github.com/astral-sh/uv/pull/9294))
- Avoid displaying empty paths ([9312](https://github.com/astral-sh/uv/pull/9312))
- Allow constraints in `uv tool upgrade` ([9375](https://github.com/astral-sh/uv/pull/9375))
- Remove conflict between `--no-sync` and `--frozen` in `uv run` ([9400](https://github.com/astral-sh/uv/pull/9400))
- Respect dependency sources in overrides and constraints ([9455](https://github.com/astral-sh/uv/pull/9455))
- Show an interpreter-focused message for `--target` and `--prefix` ([9373](https://github.com/astral-sh/uv/pull/9373))
- Add `--no-extra` flag and setting ([9387](https://github.com/astral-sh/uv/pull/9387))
- Add `uv export --prune` ([9389](https://github.com/astral-sh/uv/pull/9389))
- Add dedicated error message for musl install attempts ([9430](https://github.com/astral-sh/uv/pull/9430))
- Add various grammar changes to conflict error messages ([9369](https://github.com/astral-sh/uv/pull/9369))
- Annotate default groups in conflict error messages ([9368](https://github.com/astral-sh/uv/pull/9368))
- Report marker diagnostics during parsing, rather than evaluation ([9338](https://github.com/astral-sh/uv/pull/9338))
- Use consistent formatting for build system errors ([9340](https://github.com/astral-sh/uv/pull/9340))
- Use rich diagnostics for build failures ([9335](https://github.com/astral-sh/uv/pull/9335))

Preview features

- Improve build backend excludes ([9281](https://github.com/astral-sh/uv/pull/9281))
- Include PEP 639 `license-files` metadata during `uv publish` ([9442](https://github.com/astral-sh/uv/pull/9442))

Performance

- Initialize rayon lazily ([9435](https://github.com/astral-sh/uv/pull/9435))
- Migrate to PubGrub's arena for package names ([9448](https://github.com/astral-sh/uv/pull/9448))

Bug fixes

- Allow dependency groups to include the containing package ([9385](https://github.com/astral-sh/uv/pull/9385))
- Allow syncing to empty virtual environment directories ([9427](https://github.com/astral-sh/uv/pull/9427))
- Allow system Python discovery with `--target` and `--prefix` ([9371](https://github.com/astral-sh/uv/pull/9371))
- Don't warn when `--output-file` is empty ([9417](https://github.com/astral-sh/uv/pull/9417))
- Fix Python interpreter discovery on non-glibc hosts ([9005](https://github.com/astral-sh/uv/pull/9005))
- Fix `tool.uv.dependency-metadata.[].version` schema ([9468](https://github.com/astral-sh/uv/pull/9468))
- Only respect preferences across the same indexes ([9302](https://github.com/astral-sh/uv/pull/9302))
- Re-compile when `--compile` is passed to an install operation ([9378](https://github.com/astral-sh/uv/pull/9378))
- Remove `--upgrade`, `--no-upgrade`, and `--upgrade-package` from `uv tool upgrade` ([9318](https://github.com/astral-sh/uv/pull/9318))
- Remove dev dependencies in `--all-groups --no-dev` ([9300](https://github.com/astral-sh/uv/pull/9300))
- Surface extras and group conflicts in `uv export` ([9365](https://github.com/astral-sh/uv/pull/9365))
- Treat deprecated aliases as equivalent in marker algebra ([9342](https://github.com/astral-sh/uv/pull/9342))
- Treat less compatible tags as lower priority in resolver ([9339](https://github.com/astral-sh/uv/pull/9339))

Documentation

- Avoid referencing `scikit-build` (instead of `scikit-build-core`) ([9320](https://github.com/astral-sh/uv/pull/9320))
- Expand entry points documentation ([9329](https://github.com/astral-sh/uv/pull/9329))
- Fix example `pyproject.toml` in project concept documentation ([9298](https://github.com/astral-sh/uv/pull/9298))
- Fix header level of "Conflicting dependencies" page ([9330](https://github.com/astral-sh/uv/pull/9330))
- Touch-up the extension module guide ([9293](https://github.com/astral-sh/uv/pull/9293))
- Update the dependencies documentation ([9359](https://github.com/astral-sh/uv/pull/9359))
- Reference `--no-progress` option in related environment variable ([9357](https://github.com/astral-sh/uv/pull/9357))

0.5.4

Enhancements

- Accept either singular or plural values for CLI requirements ([9196](https://github.com/astral-sh/uv/pull/9196))
- Add `--all-groups` to `uv sync`, `uv run`, `uv export`, and `uv tree` ([8892](https://github.com/astral-sh/uv/pull/8892))
- Add a progress bar to `uv tree --outdated` and `uv pip list --outdated` ([9284](https://github.com/astral-sh/uv/pull/9284))
- Add retries for Python downloads ([9274](https://github.com/astral-sh/uv/pull/9274))
- Use exponential backoff for publish retries ([9276](https://github.com/astral-sh/uv/pull/9276))
- Add manylinux target triples up to glibc 2.40 ([9234](https://github.com/astral-sh/uv/pull/9234))

Performance

- Parallelize network requests in `uv tree --outdated` ([9280](https://github.com/astral-sh/uv/pull/9280))
- Use `zlib-rs` on all platforms ([9264](https://github.com/astral-sh/uv/pull/9264))

Bug fixes

- Avoid validating extra and group sources in `build-system.requires` ([9273](https://github.com/astral-sh/uv/pull/9273))
- Catch retries with wrapped `reqwest` errors ([9253](https://github.com/astral-sh/uv/pull/9253))
- Sort hashes in `uv export` output ([9237](https://github.com/astral-sh/uv/pull/9237))
- Strip `--index` and `--default-index` from command header ([9288](https://github.com/astral-sh/uv/pull/9288))

Documentation

- Add breadcrumbs to the documentation ([9242](https://github.com/astral-sh/uv/pull/9242))
- Add minimum version to PyTorch guide ([9247](https://github.com/astral-sh/uv/pull/9247))
- Add support for anchor redirects with client-side js ([9212](https://github.com/astral-sh/uv/pull/9212))
- Improve content on project configuration ([9235](https://github.com/astral-sh/uv/pull/9235))
- Improve the project creation documentation ([9236](https://github.com/astral-sh/uv/pull/9236))
- Move the integration guides into the "Guides" section as a collapsed group ([9245](https://github.com/astral-sh/uv/pull/9245))
- Reorganize the project concept documentation ([9121](https://github.com/astral-sh/uv/pull/9121))
- Use the full screen height for the main content to stabilize the nav ([9153](https://github.com/astral-sh/uv/pull/9153))

Error messages

- Add dedicated warning for empty stdin ([9256](https://github.com/astral-sh/uv/pull/9256))

Page 1 of 22

Links

Releases

Has known vulnerabilities

Next

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.