Workflow

Uv

Latest version: v0.5.9

Safety actively analyzes 688917 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 15 of 22

0.2.0

Not secure
Starting with this release, uv will use the **minor** version tag to indicate breaking changes.

Breaking

In this release, discovery of Python interpreters has changed. These changes should have a limited effect in most
use-cases, however, it has been marked as a breaking change because the interpreter used by uv could change in
some edge cases.

When multiple Python interpreters are installed, uv makes an attempt to find the exact version you requested.
Previously, uv would stop at the first Python interpreter it discovered — if the interpreter did not satisfy
the requested version, uv would fail. Now, uv will query multiple Python interpreters until it finds the
requested version, skipping interpreters that are broken or do not satisfy the request.

Additionally, uv now allows requests for interpreter implementations such as `pypy` and `cpython`. For example,
the request `--python cpython` will ignore a `python` executable that's implemented by `pypy`. These requests may
also include a version, e.g., `--python pypy3.10`. By default, uv will accept *any* interpreter implementation.

In summary, the following Python interpreter requests are now allowed:

- A Python version without an implementation name, e.g., `3.10`
- A path to a directory containing a Python installation, e.g., `./foo/.venv`
- A path to a Python executable, e.g., `~/bin/python`
- A Python implementation without a version, e.g., `pypy` or `cpython`
- A Python implementation name and version, e.g., `pypy3.8` or `pypy3.8`
- The name of a Python executable (for lookup in the `PATH`), e.g., `foopython3`

Previously, interpreter requests that were not versions or paths were always treated as executable
names.

To align the user expectations, uv now respects the interpreter that starts it. For example, `python -m uv ...` will
now prefer the `python` interpreter that was used to start uv instead of searching for a virtual environment.

We now check if discovered interpreters are virtual environments. This means that setting `VIRTUAL_ENV` to a Python
installation directory that is *not* a virtual environment will no longer work. Instead, use `--system`
or `--python <path>`
to request the interpreter.

Enhancements

- Rewrite Python interpreter discovery ([3266](https://github.com/astral-sh/uv/pull/3266))
- Add support for requesting `pypy` interpreters by implementation
name ([3706](https://github.com/astral-sh/uv/pull/3706))
- Discover and prefer the parent interpreter when invoked
with `python -m uv` [3736](https://github.com/astral-sh/uv/pull/3736)
- Add PEP 714 support for HTML API client ([3697](https://github.com/astral-sh/uv/pull/3697))
- Add PEP 714 support for JSON API client ([3698](https://github.com/astral-sh/uv/pull/3698))
- Write relative paths with unnamed requirement syntax ([3682](https://github.com/astral-sh/uv/pull/3682))
- Allow relative Python executable paths in Windows trampoline ([3717](https://github.com/astral-sh/uv/pull/3717))
- Add support for clang and msvc in missing header error ([3753](https://github.com/astral-sh/uv/pull/3753))

CLI

- Allow `--constraint` files in `pip sync` ([3741](https://github.com/astral-sh/uv/pull/3741))
- Allow `--config-file` to be passed before or after command name ([3730](https://github.com/astral-sh/uv/pull/3730))
- Make `--offline` a global argument ([3729](https://github.com/astral-sh/uv/pull/3729))

Performance

- Improve performance in complex resolutions by reducing cost of PubGrub package
clones ([3688](https://github.com/astral-sh/uv/pull/3688))

Bug fixes

- Evaluate arbitrary markers to `false` ([3681](https://github.com/astral-sh/uv/pull/3681))
- Improve `DirWithoutEntrypoint` error message ([3690](https://github.com/astral-sh/uv/pull/3690))
- Improve display of root package in range errors ([3711](https://github.com/astral-sh/uv/pull/3711))
- Propagate URL errors in verbatim parsing ([3720](https://github.com/astral-sh/uv/pull/3720))
- Report yanked packages in `--dry-run` ([3740](https://github.com/astral-sh/uv/pull/3740))

Release

- Drop native `manylinux` wheel in favor of dual-tagged wheel ([3685](https://github.com/astral-sh/uv/pull/3685))
- The `python-patch` test feature is no longer on by default and must be manually enabled to test patch version
behavior ([3746](https://github.com/astral-sh/uv/pull/3746))

Documentation

- Add `--prefix` link to compatibility guide ([3734](https://github.com/astral-sh/uv/pull/3734))
- Add `--only-binary` to compatibility guide ([3735](https://github.com/astral-sh/uv/pull/3735))
- Add instructions for building and updating `uv-trampolines` ([3731](https://github.com/astral-sh/uv/pull/3731))
- Add notes for testing on Windows ([3658](https://github.com/astral-sh/uv/pull/3658))

Preview features

- Add initial implementation of `uv tool run` ([3657](https://github.com/astral-sh/uv/pull/3657))
- Add offline support to `uv tool run` and `uv run` ([3676](https://github.com/astral-sh/uv/pull/3676))
- Better error message for `uv run` failures ([3691](https://github.com/astral-sh/uv/pull/3691))
- Discover workspaces without using them in resolution ([3585](https://github.com/astral-sh/uv/pull/3585))
- Support editables in `uv sync` ([3692](https://github.com/astral-sh/uv/pull/3692))
- Track editable requirements in lockfile ([3725](https://github.com/astral-sh/uv/pull/3725))

0.1.45

Not secure
Enhancements

- Parse and store extras on editable requirements ([3629](https://github.com/astral-sh/uv/pull/3629))
- Allow local versions in wheel filenames ([3596](https://github.com/astral-sh/uv/pull/3596))
- Create lib64 symlink for 64-bit, non-macOS, POSIX environments ([3584](https://github.com/astral-sh/uv/pull/3584))

Configuration

- Add `UV_CONCURRENT_INSTALLS` variable in favor
of `RAYON_NUM_THREADS` ([3646](https://github.com/astral-sh/uv/pull/3646))
- Add serialization and deserialization for `--find-links` ([3619](https://github.com/astral-sh/uv/pull/3619))
- Apply combination logic to merge CLI and persistent configuration ([3618](https://github.com/astral-sh/uv/pull/3618))

Performance

- Parallelize resolver ([3627](https://github.com/astral-sh/uv/pull/3627))

Bug fixes

- Reduce sensitivity of unknown option error to discard Python 2
interpreters ([3580](https://github.com/astral-sh/uv/pull/3580))
- Respect installed packages in `uv run` ([3603](https://github.com/astral-sh/uv/pull/3603))
- Separate cache construction from initialization ([3607](https://github.com/astral-sh/uv/pull/3607))
- Add missing `"directory"` branch in source match ([3608](https://github.com/astral-sh/uv/pull/3608))
- Fix source annotation in pip compile `annotation-style=line`
output ([3637](https://github.com/astral-sh/uv/pull/3637))
- Run cargo update to pull in h2 ([3638](https://github.com/astral-sh/uv/pull/3638))
- URL-decode hashes in HTML fragments ([3655](https://github.com/astral-sh/uv/pull/3655))
- Always print JSON output with `--format` json ([3671](https://github.com/astral-sh/uv/pull/3671))

Documentation

- Add `UV_CONFIG_FILE` environment variable to documentation ([3653](https://github.com/astral-sh/uv/pull/3653))
- Explicitly mention `--user` in compatibility guide ([3666](https://github.com/astral-sh/uv/pull/3666))

Release

- Add musl ppc64le support ([3537](https://github.com/astral-sh/uv/pull/3537))
- Retag musl aarch64 for manylinux2014 ([3624](https://github.com/astral-sh/uv/pull/3624))

Preview features

- Add direct URL conversion to lockfile ([3633](https://github.com/astral-sh/uv/pull/3633))
- Add hashes and versions to all distributions ([3589](https://github.com/astral-sh/uv/pull/3589))
- Add local path conversions from lockfile ([3609](https://github.com/astral-sh/uv/pull/3609))
- Add missing `"directory"` branch in source match ([3608](https://github.com/astral-sh/uv/pull/3608))
- Add registry file size to lockfile ([3652](https://github.com/astral-sh/uv/pull/3652))
- Add registry source distribution support to lockfile ([3649](https://github.com/astral-sh/uv/pull/3649))
- Refactor editables for supporting them in bluejay commands ([3639](https://github.com/astral-sh/uv/pull/3639))
- Rename `sourcedist` to `sdist` in lockfile ([3590](https://github.com/astral-sh/uv/pull/3590))
- Respect installed packages in `uv run` ([3603](https://github.com/astral-sh/uv/pull/3603))
- Support lossless serialization for Git dependencies in lockfile ([3630](https://github.com/astral-sh/uv/pull/3630))

0.1.44

Not secure
Release

Reverts "Use manylinux: auto to enable `musllinux_1_2` aarch64
builds ([3444](https://github.com/astral-sh/uv/pull/3444))"

The manylinux change appeared to introduce SSL errors when building aarch64 Docker images, e.g.,

> invalid peer certificate: BadSignature

The v0.1.42 behavior for aarch64 manylinux builds is restored in this release.

See [3576](https://github.com/astral-sh/uv/pull/3576)

0.1.43

Not secure
Enhancements

- Annotate sources of requirements in `pip compile` output ([3269](https://github.com/astral-sh/uv/pull/3269))
- Track origin for `setup.py` files and friends ([3481](https://github.com/astral-sh/uv/pull/3481))

Configuration

- Consolidate concurrency limits and expose as environment
variables ([3493](https://github.com/astral-sh/uv/pull/3493))

Release

- Use manylinux: auto to enable `musllinux_1_2` aarch64 builds ([3444](https://github.com/astral-sh/uv/pull/3444))
- Enable musllinux_1_1 wheels ([3523](https://github.com/astral-sh/uv/pull/3523))

Bug fixes

- Avoid keyword arguments for PEP 517 build hooks ([3517](https://github.com/astral-sh/uv/pull/3517))
- Apply advisory locks when building source distributions ([3525](https://github.com/astral-sh/uv/pull/3525))
- Avoid attempting to build editables when fetching metadata ([3563](https://github.com/astral-sh/uv/pull/3563))
- Clone individual files on windows ReFS ([3551](https://github.com/astral-sh/uv/pull/3551))
- Filter irrelevant requirements from source annotations ([3479](https://github.com/astral-sh/uv/pull/3479))
- Make cache clearing robust to directories without read
permissions ([3524](https://github.com/astral-sh/uv/pull/3524))
- Respect constraints on editable dependencies ([3554](https://github.com/astral-sh/uv/pull/3554))
- Skip Python 2 versions when locating Python ([3476](https://github.com/astral-sh/uv/pull/3476))
- Make `--isolated` a global argument ([3558](https://github.com/astral-sh/uv/pull/3558))
- Allow unknown `pyproject.toml` fields ([3511](https://github.com/astral-sh/uv/pull/3511))
- Change error value detection for glibc ([3487](https://github.com/astral-sh/uv/pull/3487))

Preview features

- Create virtualenv if it doesn't exist in project API ([3499](https://github.com/astral-sh/uv/pull/3499))
- Discover `uv run` projects hierarchically ([3494](https://github.com/astral-sh/uv/pull/3494))
- Read and write `uv.lock` based on project root ([3497](https://github.com/astral-sh/uv/pull/3497))
- Read package name from `pyproject.toml` in `uv run` ([3496](https://github.com/astral-sh/uv/pull/3496))
- Rebrand workspace API as project API ([3489](https://github.com/astral-sh/uv/pull/3489))

0.1.42

Not secure
This release includes stabilized support for persistent configuration in uv.

uv will now read project configuration from a `pyproject.toml` or `uv.toml` file in the current
directory or any parent directory, along with user configuration at `~/.config/uv/uv.toml`
(or `$XDG_CONFIG_HOME/uv/uv.toml`) on macOS and Linux, and `%APPDATA%\uv\uv.toml` on Windows.

See: [Persistent Configuration](https://github.com/astral-sh/uv?tab=readme-ov-file#persistent-configuration) for more.

Enhancements

- Respect `MACOSX_DEPLOYMENT_TARGET` in `--python-platform` ([3470](https://github.com/astral-sh/uv/pull/3470))

Configuration

- Add documentation for persistent configuration ([3467](https://github.com/astral-sh/uv/pull/3467))
- Add JSON Schema export to SchemaStore ([3461](https://github.com/astral-sh/uv/pull/3461))
- Merge user and workspace settings ([3462](https://github.com/astral-sh/uv/pull/3462))

Bug fixes

- Use Metadata10 to parse PKG-INFO of legacy editable ([3450](https://github.com/astral-sh/uv/pull/3450))
- Apply normcase to line from easy-install.pth ([3451](https://github.com/astral-sh/uv/pull/3451))
- Upgrade `async_http_range_reader` to v0.8.0 to respect redirects in range
requests ([3460](https://github.com/astral-sh/uv/pull/3460))
- Use last non-EOL version for `--python-platform` macOS ([3469](https://github.com/astral-sh/uv/pull/3469))

Preview features

- Use environment layering for `uv run --with` ([3447](https://github.com/astral-sh/uv/pull/3447))
- Warn when missing minimal bounds when using `tool.uv.sources` ([3452](https://github.com/astral-sh/uv/pull/3452))

0.1.41

Not secure
Bug fixes

- Remove unconstrained version error from requirements ([3443](https://github.com/astral-sh/uv/pull/3443))

Page 15 of 22

Links

Releases

Has known vulnerabilities

Previous Next

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.