Commit Graph

1320 Commits

Author SHA1 Message Date
Zanie Blue 464a33ca82 Bump version to 0.11.3 (#18805) 2026-04-01 15:52:54 -05:00
Rex Ledesma 08577895ae docs: add explicit example for opting package out of --exclude-newer (#18803)
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:

- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->

## Summary

Add the explicit configuration for opting out a package out of
`--exclude-newer`. The docs mention this from
https://github.com/astral-sh/uv/pull/16854, but the actual
pyproject.toml configuration was missing. I found it from
https://github.com/astral-sh/uv/issues/12449#issuecomment-4170155721,
but this should be in the docs.

## Test Plan

uv run --only-group docs mkdocs serve -f mkdocs.yml

---------

Co-authored-by: Zanie Blue <contact@zanie.dev>
2026-04-01 20:40:20 +00:00
Aria Desires 202e0f0831 Expand uv workspace metadata with dependency information from the lock (#18356)
## Summary

This expands `uv workspace metadata` with many of the fields that are
found in `uv.lock` so that we have a format with information about the
dependency graph/resolution that we're willing to call stable and have
people rely upon (rather than `uv.lock` which we'd rather you don't try
to interpret).

To a first approximation you can think of this as "uv.lock but
serialized to json" but with the fields a bit more limited for now (easy
to add later).

The biggest intentional divergence with uv.lock is that we favour
encoding the dependency graph in a form that looks more like our
internal "resolve" graph, in that hopes that it will simplify the work
of anyone doing analysis on the graph (we structure our internal graph
like this for a reason).

Specifically, the `resolve` field contains the entire dependency graph,
with packages desugarred into several different nodes. There are 4 kinds
of nodes (really 3, the build nodes will only be introduced when we
establish build-dependency locking):

* packages: `mypackage==1.0.0 @ registry+https://pypi.org/simple`
* extras: `mypackage[myextra]==1.0.0 @ registry+https://pypi.org/simple`
* groups: `mypackage:mygroup==1.0.0 @ registry+https://pypi.org/simple`
* build:    `mypackage(build)==1.0.0 @ registry+https://pypi.org/simple`

package nodes hold additional metadata about the package itself, and ids
of the associated extra/group/build nodes.

---

A package like this:

```toml
[project]
name = "mypackage"
version = "1.0.0"

dependencies = ["httpx"]

[project.optional-dependencies]
cli = ["rich"]

[dependency-groups]
dev = ["typing-extensions"]

[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"
```

will get 4 nodes with the following edges (Version and Source omitted
here for brevity):
* `mypackage`
  * `httpx`
* `mypackage(build)`
  * `hatchling`
* `mypackage[cli]`
  * `mypackage`
  * `rich`
* `mypackage:dev`
  * `typing-extensions`
  
Note that `mypackage[cli]` has a dependency edge on `mypackage` while
`mypackage:dev` does not. This is because
`mypackage[cli]` is fundamentally an augmentation of `mypackage` while
`mypackage:dev` is just a list of packages that happens to be defined by
`mypackage`'s pyproject.toml.
 
 The resulting nodes for `mypackage` will look something like:
 
 <details>
 <summary>json blob</summary>
 
```json
{
  "resolve": {
    "mypackage==1.0.0 @ editable+.": {
      "name": "mypackage",
      "version": "1.0.0",
      "source": {
        "editable": "."
      },
      "kind": "package",
      "dependencies": [
        {
          "id": "httpx==3.6 @ registry+https://pypi.org/simple"
          "marker": "sys_platform == 'linux'"
        },
      ],
      "optional_dependencies": [
        {
          "name": "cli",
          "id": "mypackage[cli]==1.0.0 @ editable+."
        },
      ],
      "dependency_groups": [
        {
          "name": "dev",
          "id": "mypackage:dev==1.0.0 @ editable+."
        }
      ]
      "build_system": {
        "build_backend": "hatchling.build",
        "id": "mypackage(build)==1.0.0 @ editable+."
      }
      "sdist": { ... },
      "wheels": [ ... ]
    },
    "mypackage:dev==1.0.0 @ editable+.": {
        "name": "mypackage",
        "version": "1.0.0",
        "source": {
          "editable": "."
        },
        "kind": {
          "group": "dev"
        },
        "dependencies": [
          {
            "id": "typing-extensions==1.2.3 @ registry+https://pypi.org/simple"
          },
        ]
      },
   }
   "mypackage[cli]==1.0.0 @ editable+.": {
      "name": "mypackage",
      "version": "1.0.0",
      "source": {
        "editable": "."
      },
      "kind": {
        "extra": "cli"
      },
      "dependencies": [
        {
          "id": "rich==2.2.3 @ registry+https://pypi.org/simple"
        },
        {
          "id": "mypackage==1.0.0 @ editable+."
        },
      ]
    },
    "mypackage(build)==1.0.0 @ editable+.": {
      "name": "mypackage",
      "version": "1.0.0",
      "source": {
        "editable": "."
      },
      "kind": "build",
      "dependencies": [
        {
          "id": "hatchling==3.2.3 @ registry+https://pypi.org/simple"
        },
      ]
    }
  }
}
```

</details>

## Test Plan

Snapshots
2026-03-27 09:22:03 -04:00
Zanie Blue 02036a8ba5 Bump version to 0.11.2 (#18732) 2026-03-26 20:44:25 +00:00
Zanie Blue a6042f67fc Bump version to 0.11.1 (#18704) 2026-03-24 22:18:22 +00:00
Zanie Blue f772f71b91 Cover --python <dir> in "Using arbitrary Python environments" (#6457)
Closes https://github.com/astral-sh/uv/issues/6237
2026-03-24 13:02:27 +00:00
Zanie Blue 1f31f0e9fb Bump version to 0.11.0 (#18683)
Co-authored-by: Zsolt Dollenstein <zsol.zsol@gmail.com>
Co-authored-by: Geoffrey Thomas <geofft@ldpreload.com>
2026-03-23 21:13:35 +00:00
Zanie Blue 10477cd1ce Split the alternative indexes page into separate pages (#18607)
Same idea as #18597
2026-03-23 14:41:51 -05:00
Lirui Luo 47edbf95a9 Clarify FLASH_ATTENTION_SKIP_CUDA_BUILD guidance for flash-attn installs (#18473)
## Summary
- replace the current `FLASH_ATTENTION_SKIP_CUDA_BUILD` wording with a
more accurate description
- explain that the variable disables local CUDA compilation instead of
guaranteeing a compatible wheel
- recommend pinning to a known-supported combination when relying on
published wheels

Addresses #17794.

---------

Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
2026-03-23 19:22:52 +00:00
Zanie Blue b6854d77bf Upgrade reqwest to 0.13 (#18550)
The following user-facing changes are included here:

- `aws-lc` is used instead of `ring` for a cryptography backend
- Expands our certificate signature algorithm support to include
ECDSA_P256_SHA512, ECDSA_P384_SHA512, ECDSA_P521_SHA256,
ECDSA_P521_SHA384, and ECDSA_P521_SHA512
- `--native-tls` is deprecated in favor of a new `--system-certs` flag,
avoiding confusion with the TLS implementation used (we use `rustls` not
`native-tls`, see prior confusion at
https://github.com/astral-sh/uv/issues/11595)
- NASM is a new build requirement on Windows, it is required by `aws-lc`
on x86-64 and i386
- `rustls-platform-verifier` is used instead of `rustls-native-certs`
for system certificate verification
- On macOS, certificate validation is now delegated to
`Security.framework` (`SecTrust`). Performance when using
`--system-certs` is improved by avoiding exporting and parsing all the
certificates from the keychain at startup.
- On Windows, certificate validation is now delegated to
`CertGetCertificateChain` and `CertVerifyCertificateChainPolicy`
    - On Linux, certificate validation should be approximately unchanged
- Some previously failing chains may succeed, and some previously
accepted chains may fail; generally, this should result in behavior
closer matching browsers and other native applications
- macOS and Windows may now perform live OCSP fetches for early
revocation, which could add latency to some requests
- Empty `SSL_CERT_FILE` values are ignored (for consistency with
`SSL_CERT_DIR`)

The following internal changes are included here:

- Certificate loading has been refactored to use a newtype with helper
methods
- The certificate tests have been rewritten
- We use `webpki-root-certs` instead of `webpki-roots`, see
https://github.com/astral-sh/uv/pull/17543#discussion_r2820187691
- We request `identity` encoding for range requests, see
https://github.com/astral-sh/async_http_range_reader/pull/3#discussion_r2700194798
- Various dependencies (including forks) updates to versions which use
reqwest 0.13+

This is a replacement of #17543 with an updated description. See that
pull request for prior discussion. I've made the following changes from
the initial approach there:

- Previously, the `native-tls` TLS implementation was added which
included an OpenSSL build. We don't currently use the `native-tls`
implementation, but the `--native-tls` flag there was erroneously
updated to enable it.
- Previously, there was a `--tls-backend` flag to toggle between
`native-tls` and `rustls`. Since we currently always use `rustls`, this
is deferred to future work (if we need it at all).
- Previously, there were unintentional breaking changes to
`SSL_CERT_FILE` and `SSL_CERT_DIR` handling, including merging with the
base certificates instead of replacing them, dropping support for
OpenSSL hash-named certificate files, skipping deduplication of
certificates. Here, we retain use of `rustls-native-certs` for loading
certificates from the system as it handles these edge cases.


Closes https://github.com/astral-sh/uv/issues/17427

---------

Co-authored-by: salmonsd <22984014+salmonsd@users.noreply.github.com>
2026-03-23 13:22:19 -05:00
Zanie Blue 635a76cad3 Split the dependency-bots page into two separate pages (#18597) 2026-03-20 14:01:55 -05:00
Zanie Blue 029d79f34f Add details on Linux versions to the platform policy (#18574) 2026-03-20 08:00:45 -05:00
Zanie Blue 00d72dac7b Bump version to 0.10.12 (#18578) 2026-03-19 21:18:55 +00:00
Zanie Blue 7025a09090 Move Pyodide to Tier 2 in the Python support policy (#18561)
We support managed installs of these now.
2026-03-18 22:03:50 -05:00
Zanie Blue 54bf9b04eb Update the Python version policy (#18559) 2026-03-18 22:03:41 -05:00
Zanie Blue 4419f9cd39 Update Docker guide with changes from uv-docker-example (#18558)
Closes https://github.com/astral-sh/uv/issues/18556
2026-03-18 18:32:22 -05:00
Zanie Blue 87fa30a320 Add Python 3.15 to supported versions (#18552) 2026-03-18 09:28:41 -05:00
Zanie Blue 4f9c88cd3e Adjust the PyPy note (#18548) 2026-03-18 09:08:55 -05:00
Zanie Blue 287faaf92c Move Rust and Python version support out of the Platform support policy (#18535)
The content is unchanged.

I'm planning to expand the content in the Python version and Platform
support files and generally don't like that these are mixed.
2026-03-18 07:47:21 -05:00
Charlie Marsh 006b56b12d Bump version to 0.10.11 (#18521)
Co-authored-by: Tomasz Kramkowski <tom@astral.sh>
2026-03-16 19:32:39 -04:00
William Woodruff 4d4b968f25 Deprecate some non-PEP 625 source distributions (#17467) 2026-03-17 08:18:09 +09:00
Inada Naoki efdf905f82 Add missing -o requirements.txt in uv pip compile example (#12308)
## Summary

`uv pip compile` doesn't produce `requirements.txt` without `-o
requirements.txt` option.
2026-03-15 21:34:14 +00:00
Zanie Blue 8c730aaad6 Bump version to 0.10.10 (#18455) 2026-03-13 14:35:08 -05:00
William Woodruff 7319e4699c Remove overloaded use of 'audit' (#18427)
## Summary

Once `uv audit` lands, this will be pretty confusing to users IMO.

I've changed it to "Checked" to demo-run the changes, but I'd definitely
appreciate opinions on a better term for this (scanned? validated?)

## Test Plan

Bumped so many snapshots.

---------

Signed-off-by: William Woodruff <william@astral.sh>
2026-03-13 23:17:06 +09:00
Zanie Blue d1c6f03726 Update the platform support policy with a tier 3 section including freebsd and 32-bit windows (#18345)
And I'll add Android once we land some more patches.
2026-03-07 09:12:36 -06:00
Zanie Blue f675560f32 Bump version to 0.10.9 (#18357) 2026-03-06 14:00:59 -06:00
luyiming 7520fe6c25 Improve documentation on virtual dependencies (#18346)
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:

- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->

## Summary

<!-- What's the purpose of the change? What does it do, and why? -->

The current documentation for virtual dependencies is somewhat confusing
because it places the sentence

> "the package will be built even if a build system is not declared"

immediately after introducing `tool.uv.package = false`. This makes it
sound as if the package might still be built when `package = false` is
set.

In reality, that sentence describes the *default behavior of path
dependencies* (when `package = false` is not set). The revised wording
clarifies that:

- `package = false` → the dependency becomes virtual (its dependencies
are installed, but the package itself is not built or installed)
- otherwise → uv treats the path dependency as a normal package and will
attempt to build it, even without a `[build-system]`.
2026-03-06 10:50:11 -06:00
Charlie Marsh 9f53c5866f Add documentation for common marker values (#18327)
Closes https://github.com/astral-sh/uv/issues/18300.
2026-03-05 21:18:01 +00:00
Zanie Blue 4ff4720da5 Use uv to manage our Python documentation dependencies (#18263)
I want to lock our Zig build dependencies and this is an incremental
step towards doing so via uv
2026-03-04 09:52:15 -06:00
Zanie Blue c021be36ab Bump version to 0.10.8 (#18277) 2026-03-03 15:08:03 -06:00
Zanie Blue 33ae43d341 Add Docker images based on Docker Hardened Images (#18247) 2026-03-03 08:45:19 -06:00
Mathieu Kniewallner fa116eff05 Mention cooldown and tweak inline script metadata in dependency bots documentation (#18230)
## Summary

Update [Dependency
bots](https://docs.astral.sh/uv/guides/integration/dependency-bots/)
documentation to mention how to set up dependency cooldown on
Renovate/Dependabot, to match what could be set in `exclude-newer`.

Also:
- updating configuration example for inline script metadata, as per
[this
documentation](https://docs.renovatebot.com/configuration-options/#managerfilepatterns),
`fileMatch` is deprecated, and `managerFilePatterns` should be used
instead -- the option supports both globs and regexes, so I've updated
the examples to highlight that globs can be used
- adding a note about Renovate not supporting lock files for inline
script metadata yet

## Test Plan

Rendered the documentation locally.

For all Renovate changes, tested locally using:
```shell
pnpx renovate --platform local
```

For Dependabot, I did not test it as I don't use it, so I've followed
the
[documentation](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-).
2026-03-02 09:18:39 -06:00
Robin 198813cc4d docs(gitlab): move cache prune to after_script (#18206)
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:

- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->

## Summary

IMO the cache prune should be moved to
[`after_script`](https://docs.gitlab.com/ci/yaml/#after_script)

<!-- What's the purpose of the change? What does it do, and why? -->
2026-03-02 08:42:03 -06:00
Zsolt Dollenstein 08ab1a3447 Bump version to 0.10.7 (#18212) 2026-02-27 07:07:47 -05:00
Zanie Blue a91bcf2683 Bump version to 0.10.6 (#18189) 2026-02-24 17:33:36 -06:00
Zanie Blue e2c05a54e6 Bump version to 0.10.5 (#18172) 2026-02-23 16:16:32 -06:00
Zanie Blue 7ce61d5469 Attempt to use reflinks by default on Linux (#18117)
Copy of https://github.com/astral-sh/uv/pull/17753 which GitHub
auto-closed.

This adds test infrastructure for cross-device links and file systems
with reflink support. In short, we create a few extra file systems on
the CI runners then provide their paths to the test suite using
environment variables to ensure we have coverage. If the variables are
not set, the tests are skipped.

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-02-23 13:53:50 +00:00
Zanie Blue 563c44984c Change doc heading for environment variable files (#18122)
Co-authored-by: Claude <noreply@anthropic.com>
2026-02-20 17:39:47 +00:00
Zanie Blue 7a2dc39eba Make it clear that Windows is supported in user and system level configuration docs (#18106)
Co-authored-by: Claude <noreply@anthropic.com>
2026-02-19 15:02:41 -06:00
Tomasz Kramkowski 079e3fd059 Bump version to 0.10.4 (#18072) 2026-02-17 21:15:57 +00:00
Tomasz Kramkowski c75a0c625c Bump version to 0.10.3 (#18012) 2026-02-16 10:42:51 +00:00
Zanie Blue 4432588c78 Use trixie instead of bookworm in the docs (#17991)
Co-authored-by: Claude <noreply@anthropic.com>
2026-02-12 17:16:51 -05:00
Tomasz Kramkowski a788db7e5d Bump version to 0.10.2 (#17958) 2026-02-10 18:21:21 +00:00
konsti b1b14d39ae Bump version to 0.10.1 (#17953) 2026-02-10 11:14:16 +00:00
Colin Marquardt efdb5847fb Suggest uv python update-shell over uv tool ... (#17941)
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:

- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->

## Summary

<!-- What's the purpose of the change? What does it do, and why? -->
Suggest `uv python update-shell` over `uv tool update-shell` since we
are in the `uv python` area here.

## Test Plan

<!-- How was it tested? -->
n/a
2026-02-09 14:01:31 +01:00
Zanie Blue 0ba432459a Bump version to 0.10.0 (#17882)
Co-authored-by: Brent Westbrook <36778786+ntBre@users.noreply.github.com>
2026-02-05 20:28:44 +00:00
Zanie Blue d2ab2d0208 Stabilize Python upgrades (#17766)
Includes a few things...

- Drops preview warnings for use of `uv python upgrade` and `uv python
install --upgrade`
- Adds `--resolve-links` to `uv python find`, which I needed in test
cases to retain existing snapshots
- Fixes issues in our "Using environment ..." messages on Windows which
were incorrect
- Refactors `from_executable` for the `PythonMinorVersionLink` type
(https://github.com/astral-sh/uv/pull/17842/commits/28b2ed2525327d94fdf5372a29bbbc476d74680f)
to use the type system to prevent incorrect construction (for above)
- Removes special casing where we only upgrade links if they already
exist, which existed so preview wasn't needed on every invocation
- Fixes a bug with `PythonMinorVersionLink::exists` which returned
`true` even if the link pointed to the wrong Python installation leading
to discovery failures
2026-02-05 11:52:18 -06:00
Zanie Blue 8b595f032a chore: remove bookworm, alpine 3.21, and py38 published images (#17755)
This is a copy of https://github.com/astral-sh/uv/pull/16520 on #17661

Co-authored-by: samypr100 <3933065+samypr100@users.noreply.github.com>
2026-02-05 11:52:18 -06:00
konsti 2d22e3fe94 Drop PPC64 (big endian) builds (#17626)
PPC64 (big endian) seems dead, and it's only supported on one exact
manylinux version (https://github.com/pypa/auditwheel/issues/669), so we
should drop it.

This change does not affect PPC64LE (little endian).
2026-02-05 11:52:18 -06:00
Zanie Blue ea4560831e Bump version to 0.9.30 (#17865) 2026-02-04 21:18:04 +00:00