Commit Graph

8563 Commits

Author SHA1 Message Date
Brad Cowie 753ad06fe5 Prevent uv tool upgrade from installing excluded dependencies (#18022)
## Summary

<!-- What's the purpose of the change? What does it do, and why? -->

Fixes #18021

Store dependencies excluded by uv tool install in the tool receipt and
provide these same dependencies to the requirements resolver when the
tool is upgraded.

## Test Plan

<!-- How was it tested? -->

Running the repro commands provided in issue #18021, we can see the
excluded dependency does not get reinstalled when the tool is upgraded:

```sh
$ cat /tmp/excludes.txt
markdown-it-py

$ ~/Dev/uv/target/debug/uv install --excludes /tmp/excludes.txt 2048-cli==1.0.2
Resolved 7 packages in 150ms
Installed 7 packages in 56ms
 + 2048-cli==1.0.2
 + click==8.3.1
 + maturin==1.12.0
 + numpy==2.4.2
 + pygments==2.19.2
 + rich==13.9.4
 + rich-menu==0.3.0
Installed 1 executable: 2048-cli

$ cat ~/.local/share/uv/tools/2048-cli/uv-receipt.toml
[tool]
requirements = [{ name = "2048-cli" }]
excludes = ["markdown-it-py"]
entrypoints = [
    { name = "2048-cli", install-path = "/home/brad/.local/bin/2048-cli", from = "2048-cli" },
]

$ ~/Dev/uv/target/debug/uv tool upgrade 2048-cli
Updated 2048-cli v1.0.2 -> v1.0.3
 - 2048-cli==1.0.2
 + 2048-cli==1.0.3
Installed 1 executable: 2048-cli
```

---------

Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
2026-03-03 17:06:35 +00:00
Zanie Blue d426a2d568 Use an Ubuntu snapshot to pin some Docker build dependency versions (#18251)
This is an incremental step to harden our Docker build pipeline.
2026-03-03 10:42:02 -06:00
Zanie Blue 18391e295f Fix Docker build tests when push is disabled (#18265) 2026-03-03 10:12:59 -06:00
William Woodruff 02e804e920 Scaffolding for uv audit (#18119)
## Summary

This provides the scaffolding (CLI and initial `uv-audit` crate) for a
`uv audit` subcommand.

Closes #9189.

Tracking:

- [x] Core CLI scaffolding (this PR)
    - [x] #18185 
- [x] Audit core (probably a new `uv-audit` crate): #18124 
- [ ] Bulk dependency audits with OSV
- [ ] Result presentation
    - [ ] #18193 


Things that also need to be done with the MVP:

- [ ] We should not audit workspace members by default (by definition,
they don't exist on indices and therefore don't have meaningful results
from vulnerability services).
- [ ] I need to ensure groups/etc. are being filtered by correctly,
right now we audit every single package in the lockfile unconditionally.

## Test Plan

Unit and integration tests commensurate with the new functionality.

---------

Signed-off-by: William Woodruff <william@astral.sh>
2026-03-03 11:11:37 -05:00
Zanie Blue 33ae43d341 Add Docker images based on Docker Hardened Images (#18247) 2026-03-03 08:45:19 -06:00
Zanie Blue e0f99d1985 Allow pushing Docker images in pull requests for testing (#18253)
I need to test features that require push to a registry, e.g., #18252,
and want to do so without releasing. This adds publish to a `uv-dev`
namespace and uses the sha instead of the version. It requires the
`release-test` environment, which is allowed from non-main but requires
approval from me to run. It is trigged by the `build:push-docker` label.

See https://github.com/astral-sh/uv/pkgs/container/uv-dev
2026-03-03 07:40:23 -06:00
Zsolt Dollenstein ce4b9a410a Fetch CPython from an Astral mirror by default (#18207) 2026-03-03 07:02:09 -05:00
Charlie Marsh 34b7734324 Promote authentication policy when saving tool receipts (#18246)
## Summary

If the user provides credentials for an index URL during tool install,
we strip the credentials. However, we now store the authentication
policy as `always` to ensure that if the user attempts to upgrade, and
we can't query the index, we correctly fail.

This won't cover credentials provided via keyring, but it will cover
embedded credentials and environment variables.

Closes https://github.com/astral-sh/uv/issues/18120.
2026-03-02 16:33:24 -06:00
Mathieu Kniewallner fa116eff05 Mention cooldown and tweak inline script metadata in dependency bots documentation (#18230)
## Summary

Update [Dependency
bots](https://docs.astral.sh/uv/guides/integration/dependency-bots/)
documentation to mention how to set up dependency cooldown on
Renovate/Dependabot, to match what could be set in `exclude-newer`.

Also:
- updating configuration example for inline script metadata, as per
[this
documentation](https://docs.renovatebot.com/configuration-options/#managerfilepatterns),
`fileMatch` is deprecated, and `managerFilePatterns` should be used
instead -- the option supports both globs and regexes, so I've updated
the examples to highlight that globs can be used
- adding a note about Renovate not supporting lock files for inline
script metadata yet

## Test Plan

Rendered the documentation locally.

For all Renovate changes, tested locally using:
```shell
pnpx renovate --platform local
```

For Dependabot, I did not test it as I don't use it, so I've followed
the
[documentation](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-).
2026-03-02 09:18:39 -06:00
Robin 198813cc4d docs(gitlab): move cache prune to after_script (#18206)
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:

- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->

## Summary

IMO the cache prune should be moved to
[`after_script`](https://docs.gitlab.com/ci/yaml/#after_script)

<!-- What's the purpose of the change? What does it do, and why? -->
2026-03-02 08:42:03 -06:00
Zanie Blue 10e84d18ff Ensure the astral-test-pypa-gh-action test case fails on script bugs (#18175)
Per https://github.com/astral-sh/uv/pull/18174 this should fail but it
depends on hitting the simple API in the middle of a release being
uploaded.
2026-03-02 08:41:46 -06:00
Connor McCarthy acccaf8913 fix(pip-compile): respect constraints during --upgrade (#18226)
## Summary

[`pip-compile`] (jazzband) has the following semantics when invoked with
both `--upgrade` and `--upgrade-package={pkg}{constraint}`: upgrade all
packages WHILE abiding by the constraints provided.

Currently, `uv` ignores the additional constraints, merging `--upgrade`
and `--upgrade-package` simply as `--upgrade`, which is obviously a
divergence in behavior. This leads to specific package constraints being
ignored, even when explicitly provided. When I went to look at patching
this, I noticed an open TODO around the same behavior in the
`--no-upgrade` case.

As a solution, separate the `UpgradeStrategy` from the constraints
provided, allowing for a more graceful merge.

[`pip-compile`]: https://github.com/jazzband/pip-tools

I've created an issue to track this here:
https://github.com/astral-sh/uv/issues/18225

## Test Plan

I've added a few integration tests to cover this case (including
updating the negative test that existed), and updated the relevant
snapshots.

---------

Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
2026-03-02 08:40:48 -06:00
konsti 54361e6d9f Remove superfluous Cow (#18245) 2026-03-02 12:08:37 +01:00
konsti 3ecb77b199 Normalize inline snapshots (#18183)
I recreated all insta snapshots to reduce the churn in future PRs.

```
cargo insta test --force-update-snapshots --test-runner nextest
```
2026-03-02 10:01:38 +00:00
konsti 876a7cc3d7 Extend uv_build direct build compatibility (#17902)
uv 0.10 can use direct builds for uv_build with `<0.10`, there were no
breaking changes.

This PR also revamps the direct build detection to be more sensitive and
improves the errors messages.

---------

Co-authored-by: Aria Desires <aria.desires@gmail.com>
2026-03-02 10:48:56 +01:00
konsti 7c638055c8 Strip trailing whitespace from tool_install_uninstallable (#18184)
Avoid churn in this file when IDEs remove the trailing whitespace while
the snapshot contains. This single space looks like a typo in the pyenv
placeholder package.

Alternative to https://github.com/astral-sh/uv/pull/18182.
2026-03-02 10:46:50 +01:00
renovate[bot] d4a6143453 Update Rust crate jiff to v0.2.21 (#18239) 2026-03-01 20:59:52 -05:00
renovate[bot] f1caf44bcc Update crate-ci/typos action to v1.43.5 (#18234) 2026-03-01 20:59:27 -05:00
renovate[bot] 828adcd5c0 Update Rust crate clap to v4.5.60 (#18238) 2026-03-01 20:55:05 -05:00
renovate[bot] 9be07bca81 Update Rust crate anyhow to v1.0.102 (#18237) 2026-03-01 20:54:59 -05:00
renovate[bot] 29e4faf9eb Update maturin to v1.12.4 (#18236) 2026-03-01 20:54:48 -05:00
renovate[bot] 6aed9d626f Update dependency astral-sh/uv to v0.10.7 (#18235) 2026-03-01 20:54:21 -05:00
renovate[bot] cd0589a7bd Update astral-sh/setup-uv action to v7.3.1 (#18233) 2026-03-01 20:54:15 -05:00
renovate[bot] 02d781c958 Update Rust crate syn to v2.0.117 (#18240) 2026-03-01 20:54:00 -05:00
renovate[bot] b67d765b34 Update Rust crate owo-colors to v4.3.0 (#18242) 2026-03-01 20:53:54 -05:00
renovate[bot] 840131b6e1 Update Rust crate security-framework to v3.7.0 (#18243) 2026-03-01 20:53:41 -05:00
Chiranjeevi U 905d97dc82 Skip installed Python check for URL dependencies (#18211)
## Summary

Skip the installed Python version check when resolving URL dependencies.
Such checks are already skipped for registry dependencies.

Closes https://github.com/astral-sh/uv/issues/18199.

---------

Signed-off-by: Chiranjeevi U <244287281+chiranjeevi-max@users.noreply.github.com>
Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
2026-03-01 20:38:17 +00:00
konsti deb70839b8 Configure a real retry minimum of 1s (#18201)
By default, retry-policies compute the actual retry duration as
`min_retry_interval * (base ** n_past_retries) * rng.uniform(0.0, 1.0)`,
so the first sleep duration would be between 0s and 1s. This change
bumps this to a real 1s minimum.
2026-03-01 16:34:20 +01:00
Charlie Marsh 548b29ffc3 Retain default-branch Git SHAs in pylock.toml files (#18227)
## Summary

If no revision is specified, we should assume the input used the default
branch (rather than returning early and ignoring the existing SHA).

Closes https://github.com/astral-sh/uv/issues/18224.
2026-02-28 20:50:11 -05:00
Zsolt Dollenstein 474eb05634 Build and test Windows aarch64 binaries natively (#18213)
Previously, aarch64 Windows binaries were cross-compiled on x86_64 hosts
in both build-release-binaries.yml and build-dev-binaries.yml, with the
wheel test steps explicitly skipped for aarch64 targets.

> [!NOTE]
> We need to ensure that the `github-windows-11-aarch64-8` runner exists
in the astral-sh org before this job can run.

Release binaries are now built on `github-windows-11-aarch64-8`, and
tests are enabled.

Dev binaries are now built on `windows-11-arm`, which is a standard
4-core ARM runner, with the timeout reduced from 25 to 10 minutes.
2026-02-27 17:12:13 -06:00
liam ef1045668c Add UV_INIT_BARE environment variable for uv init (#18210)
Resolves https://github.com/astral-sh/uv/issues/18202

This diff adds a `UV_INIT_BARE` environment variable that makes `--bare`
the default behavior for `uv init`. The command-line flag takes
precedence over the environment variable, following the same pattern
used by `UV_FROZEN`, `UV_LOCKED`, and other boolean environment
variables.
2026-02-27 17:37:28 -05:00
Zsolt Dollenstein c0e7c21980 Upload extra release artifacts to mirror (#18219)
@Gankra pointed out that the installer scripts and sha256 checksums are
helpful to also preserve on the mirror.

This is a followup to #18159.
2026-02-27 20:16:31 +00:00
Tobias Diez 4551effe6a Improve hint for installing meson-python when missing as build backend (#15826)
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:

- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->

## Summary

If a package uses meson-python as backend, it's declared as:
```
[build-system]
build-backend = 'mesonpy'
requires = ['meson-python']
```

Currently, if meson-python is missing, one gets the following hint:
```
Traceback (most recent call last):
        File "<string>", line 8, in <module>
          import mesonpy as backend
      ModuleNotFoundError: No module named 'mesonpy'

      hint: This error likely indicates that `sagemath` depends on `mesonpy`, but doesn't declare it as a build
      dependency. If `sagemath` is a first-party package, consider adding `mesonpy` to its `build-system.requires`.
      Otherwise, either add it to your `pyproject.toml` under:

      [tool.uv.extra-build-dependencies]
      sagemath = ["mesonpy"]

      or `uv pip install mesonpy` into the environment and re-run with `--no-build-isolation`.
```

which is not quite correct as the build backend/module is called
"mesonpy" but the python package one has to install is "meson-python".
This hint is improved in this PR.


<!-- What's the purpose of the change? What does it do, and why? -->

## Test Plan

I didn't yet had a chance to setup a local dev env for testing this.
<!-- How was it tested? -->
2026-02-27 20:16:07 +00:00
liam 99cb2a2c50 Add resolver hint when --exclude-newer filters out all versions of a package (#18217)
Resolves #18014 (also related to
https://github.com/astral-sh/uv/issues/18010)

When `--exclude-newer` is active and all versions of a required package
were uploaded after the cutoff, resolution fails with no indication that
the setting is the cause. This diff adds a resolver hint that surfaces
the relationship.

The diff also includes debug-level logging of the exclude-newer
configuration at resolver start (happy to get this in separately, if
needed), and trace-level logging each time an individual file is
excluded by the timestamp cutoff. These help diagnose resolution
behavior without requiring the hint to fire.
2026-02-27 13:59:02 -06:00
Zsolt Dollenstein f84b02b870 installers: Download uv releases from a mirror (#18191)
Co-authored-by: Aria Desires <aria.desires@gmail.com>
2026-02-27 11:58:00 -05:00
Zsolt Dollenstein 08ab1a3447 Bump version to 0.10.7 (#18212) 2026-02-27 07:07:47 -05:00
Zsolt Dollenstein 4ade648565 Upload uv releases to a mirror (#18159) 2026-02-27 04:56:43 -05:00
konsti c34670e025 Activate logging for middleware retries (#18200)
https://github.com/astral-sh/reqwest-middleware/blob/9d6740936fd3378eb891b51bda12ff28f998642c/reqwest-retry/src/middleware.rs#L170-L176
2026-02-26 10:29:00 +00:00
Zanie Blue 2591bfb6b0 Fix handling of junctions in Windows Containers on Windows (#18192)
Takes https://github.com/tesuji/junction/releases/tag/v1.4.2 with
https://github.com/tesuji/junction/pull/33

Closes https://github.com/astral-sh/uv/issues/17966
2026-02-25 09:56:35 -06:00
konsti 3697a2da18 Use global semaphores for concurrency limits (#18156)
Avoid problems such as https://github.com/astral-sh/uv/issues/15307,
follow-up to https://github.com/astral-sh/uv/pull/18054. See also
https://github.com/astral-sh/uv/pull/17633, for which this should be
helpful.
2026-02-25 15:53:06 +01:00
renovate[bot] c030397cac Update aws-actions/configure-aws-credentials action to v6 (#18048)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[aws-actions/configure-aws-credentials](https://redirect.github.com/aws-actions/configure-aws-credentials)
| action | major | `v5.1.1` → `v6.0.0` |

---

### Release Notes

<details>
<summary>aws-actions/configure-aws-credentials
(aws-actions/configure-aws-credentials)</summary>

###
[`v6.0.0`](https://redirect.github.com/aws-actions/configure-aws-credentials/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/aws-actions/configure-aws-credentials/compare/v5.1.1...v6.0.0)

##### ⚠ BREAKING CHANGES

- Update action to use node24 *Note this requires GitHub action runner
version
[v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later*
([#&#8203;1632](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1632))
([a7a2c11](https://redirect.github.com/aws-actions/configure-aws-credentials/commit/a7a2c1125c67f40a1e95768f4e4a7d8f019f87af))

##### Features

- add support to define transitive tag keys
([#&#8203;1316](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1316))
([232435c](https://redirect.github.com/aws-actions/configure-aws-credentials/commit/232435c0c05e51137544f0203931b84893d13b74))
([930ebd9](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1628/changes/930ebd9bcaed959c3ba9e21567e8abbc3cae72c0))

##### Bug Fixes

- properly output `aws-account-id` and `authenticated-arn` when using
role-chaining
([#&#8203;1633](https://redirect.github.com/aws-actions/configure-aws-credentials/pull/1633))
([7ceaf96](https://redirect.github.com/aws-actions/configure-aws-credentials/commit/7ceaf96edc86cc1713cef59eba79feeb23f59da1))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImJ1aWxkOnNraXAtcmVsZWFzZSIsImludGVybmFsIl19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-25 15:16:26 +01:00
Zanie Blue a91bcf2683 Bump version to 0.10.6 (#18189) 2026-02-24 17:33:36 -06:00
Zanie Blue 908a7c11af Preserve file permissions when using reflinks on Linux (#18187)
Fixes an regression from #18117 where executable permissions were not
preserved on reflink. On Linux, the `FICLONE` ioctl only clones data
blocks without preserving file metadata, so permissions must be copied
separately. On macOS, `clonefile` already preserves permissions.

This appears to be a well known issue:

- https://github.com/pnpm/pnpm/issues/8546
-
https://github.com/morelj/reflink/blob/53408edf3bf3c5090b1146923f72066c7f6e9200/cloneflags.go#L6-L22
- https://github.com/python/cpython/issues/81338

Closes https://github.com/astral-sh/uv/issues/18181
2026-02-24 17:15:46 -06:00
konsti 55cfaf9d94 Apply lockfile marker normalization for fork markers (#18116)
While dependency markers get a roundtrip through simplify/complexify
([crates/uv-resolver/src/lock/mod.rs#L4846-L4848](https://github.com/astral-sh/uv/blob/3223b1c39f8011a4460f2b5d56ace19e5d26e16d/crates/uv-resolver/src/lock/mod.rs#L4846-L4848),
https://github.com/astral-sh/uv/pull/15994), this treatment was missing
for fork markers, causing errors with `--locked --refresh` on a fresh
lockfile.

Fixes #16839
Closes #18024
2026-02-24 17:43:11 +01:00
Zanie Blue 7ba594650a Remove verbose documentation from optional dependencies help text (#18180)
This seems a bit much

Co-authored-by: Claude <noreply@anthropic.com>
2026-02-24 06:34:04 -06:00
Zanie Blue f5b95ba548 Fix Python version selection for scripts with a requires-python conflicting with .python-version (#18097)
See https://github.com/astral-sh/uv/issues/17717#issuecomment-3886377795

Updates `ScriptPython::from_request` to match the implementation of
`WorkspacePython::from_request` and adds filtering such that if the
`.python-version` conflicts with the `requires-python`, we prefer the
latter.

Co-authored-by: Claude <noreply@anthropic.com>
2026-02-24 05:16:48 -06:00
Zanie Blue f5e00a36f0 Fix astral-test-pypa-gh-action publish test bug in patch version retrieval (#18174)
The jq filter used `.files[-1].filename` to get the latest published
version then uses sed to extract the version from a sdist filename, but
the last file in the list can be a wheel rather than an sdist in the
middle of an upload. When it's a wheel, the filename passes through
unchanged and bash complains trying to evaluate it as arithmetic.

e.g.:

> astral_test_pypa_gh_action-0.1.1650-py3-none-any.whl: syntax error:
invalid arithmetic operator (error token is ".1.1650-py3-none-any.whl")

Surprisingly, this does not fail the job — `sed -i
"s/0.1.0/0.1.$((patch_version + 1))/g` fails silently in its subshell,
leaving the version as 0.1.0, `test.pypi.org` returns 400 File already
exists, and the test succeeds because we use `skip-existing: true`.
2026-02-24 04:35:13 -06:00
renovate[bot] 70a3bf09df Update peter-evans/create-pull-request action to v8.1.0 (#17932) 2026-02-23 21:37:00 -05:00
renovate[bot] f2c006a7a4 Update conda-incubator/setup-miniconda action to v3.3.0 (#17929) 2026-02-23 21:36:40 -05:00
renovate[bot] 0d35322856 Update actions/attest-build-provenance action to v3.2.0 (#17925) 2026-02-23 21:36:30 -05:00