This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[acj/freebsd-firecracker-action](https://redirect.github.com/acj/freebsd-firecracker-action)
| action | patch | `v0.9.0` → `v0.9.1` |
---
### Release Notes
<details>
<summary>acj/freebsd-firecracker-action
(acj/freebsd-firecracker-action)</summary>
###
[`v0.9.1`](https://redirect.github.com/acj/freebsd-firecracker-action/releases/tag/v0.9.1)
[Compare
Source](https://redirect.github.com/acj/freebsd-firecracker-action/compare/v0.9.0...v0.9.1)
Changes:
- Upgrade to Firecracker 1.15.1
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJidWlsZDpza2lwLWRvY2tlciIsImJ1aWxkOnNraXAtcmVsZWFzZSIsImludGVybmFsIl19-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
## Summary
Small follow-up to https://github.com/astral-sh/uv/pull/19076. If a
lookahead URL has its own SHA, we need to include it in the acceptable
SHAs for that URL.
Build dispatch was constructing its manifest without lookaheads, so the
build dependency resolver missed transitive URL dependencies from
workspace members referenced via build-system.requires.
Run LookaheadResolver first and pass the result into
`Manifest::with_lookaheads`, matching the behavior the project resolver
already uses.
Added a regression integration test that fails on main and passes with
this change.
Closes#19074!
---------
Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
Required for https://github.com/astral-sh/uv/pull/19034
Arguably, we could keep our existing behavior and have
`UV_PYTHON_SEARCH_PATH` implicitly disable the registry lookup, but I
think that's too confusing.
This disables registry lookups everywhere and modifications in `uv
python install`. In the latter case, `UV_PYTHON_INSTALL_REGISTRY` takes
precedence.
## Summary
Fixes#19077. Both `-y` and `--yes` are now accepted (as compat no-ops)
to `pip uninstall`.
## Test Plan
Added two integration tests confirming that the flags are no-ops
(besides emitting a warning).
Signed-off-by: William Woodruff <william@astral.sh>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [webpki](https://redirect.github.com/rustls/webpki) |
workspace.dependencies | patch | `0.103.10` → `0.103.12` |
### GitHub Vulnerability Alerts
####
[GHSA-xgp8-3hg3-c2mh](https://redirect.github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh)
Permitted subtree name constraints for DNS names were accepted for
certificates asserting a wildcard name.
This was incorrect because, given a name constraint of
`accept.example.com`, `*.example.com` could feasibly allow a name of
`reject.example.com` which is outside the constraint.
This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
Since name constraints are restrictions on otherwise properly-issued
certificates, this bug is reachable only after signature verification
and requires misissuance to exploit.
##### Severity
- CVSS Score: 2.2 / 10 (Low)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N`
####
[GHSA-965h-392x-2mh5](https://redirect.github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5)
Name constraints for URI names were ignored and therefore accepted.
Note this library does not provide an API for asserting URI names, and
URI name constraints are otherwise not implemented. URI name constraints
are now rejected unconditionally.
Since name constraints are restrictions on otherwise properly-issued
certificates, this bug is reachable only after signature verification
and requires misissuance to exploit.
##### Severity
- CVSS Score: 2.2 / 10 (Low)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N`
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCIsInNlY3VyaXR5Il19-->
---------
Signed-off-by: William Woodruff <william@astral.sh>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: William Woodruff <william@astral.sh>
Closes https://github.com/astral-sh/uv/issues/18708
This is a backwards compatible approach to resolve the issue where this
timestamp is causing merge conflicts.
This has no effect other than eliding the timestamp that was used for
resolution. This value is write-only when using relative `exclude-newer`
values.
---------
Co-authored-by: Claude <noreply@anthropic.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [similar](https://redirect.github.com/mitsuhiko/similar) |
workspace.dependencies | major | `2.6.0` → `3.0.0` |
---
### Release Notes
<details>
<summary>mitsuhiko/similar (similar)</summary>
###
[`v3.1.0`](https://redirect.github.com/mitsuhiko/similar/blob/HEAD/CHANGELOG.md#310)
[Compare
Source](https://redirect.github.com/mitsuhiko/similar/compare/3.0.0...3.1.0)
- Added `capture_diff_slices_by_key` and
`capture_diff_slices_by_key_deadline`
as convenience helpers for diffing slices by derived keys.
- Fixed `Compact` emitting inconsistent `DiffOp` cursor positions after
compaction, which could leave `Delete`/`Insert` operations with stale
`new_index`/`old_index` values.
- Added explicit lifetime capture (`+ use<...>`) on iterator-returning
APIs to
improve compatibility with Rust 2024 lifetime capture behavior.
[#​93](https://redirect.github.com/mitsuhiko/similar/issues/93)
###
[`v3.0.0`](https://redirect.github.com/mitsuhiko/similar/blob/HEAD/CHANGELOG.md#300)
[Compare
Source](https://redirect.github.com/mitsuhiko/similar/compare/2.7.0...3.0.0)
- Added a Git-style Histogram diff implementation exposed as
`Algorithm::Histogram`, including deadline-aware Myers fallback and
comprehensive regression/behavior tests.
- Raised MSRV to Rust 1.85 and moved the crate to Rust 2024 edition.
- Added a Hunt-style diff implementation exposed as `Algorithm::Hunt`.
- Added configurable inline refinement via `InlineChangeOptions` and
`InlineChangeMode`, including semantic cleanup and new
`TextDiff::iter_inline_changes_with_options*` methods.
[#​92](https://redirect.github.com/mitsuhiko/similar/issues/92)
- Added a global disjoint-input fast path in `algorithms::diff_deadline`
to avoid pathological runtimes on large, fully distinct inputs.
- Improved `Algorithm::Myers` performance on heavily unbalanced diffs to
avoid pathological slowdowns.
- Added `diff_deadline_raw` entrypoints in the algorithm modules to
bypass
shared heuristics and keep minimal intrinsic trait bounds where needed.
- Added test files in `examples/diffs` that can be used with the some of
the
examples as input pairs.
- Added `CachedLookup`, a helper for adapting virtual or computed
sequences by
materializing items on first access and then serving borrowed values
through
normal indexing. The `owned-lookup` example demonstrates this approach
for
issue
[#​33](https://redirect.github.com/mitsuhiko/similar/issues/33).
- Fixed ranged indexing in the classic LCS table algorithm.
- Improved diff compaction to merge adjacent delete hunks across equal
runs.
- Excluded development scripts from published crate contents.
[#​87](https://redirect.github.com/mitsuhiko/similar/issues/87)
- `TextDiff::from_*` and `TextDiffConfig::diff_*` now accept owned
inputs
(`String`, `Vec<u8>`, `Cow`) in addition to borrowed inputs. This allows
returning text diffs from functions without external owner lifetimes.
[#​65](https://redirect.github.com/mitsuhiko/similar/issues/65)
- `TextDiff` no longer exposes `old_slices` / `new_slices`. Use
`old_len`, `new_len`, `old_slice`, `new_slice`, `iter_old_slices`,
`iter_new_slices`, `old_lookup`, and `new_lookup` instead.
- `TextDiff::iter_changes` now panics on invalid out-of-bounds `DiffOp`
ranges instead of silently truncating iteration.
- `utils::diff_lines_inline` now takes `&TextDiff` and options rather
than
`(Algorithm, old, new, options)`.
- `utils::diff_lines` now avoids a second line-tokenization pass.
- Renamed `get_diff_ratio` to `diff_ratio`.
- Added first-class `no_std + alloc` support with an explicit default
`std`
feature.
- Added optional `hashbrown` backend for `no_std` map storage
(`default-features = false, features = ["hashbrown"]`), while the
default
`no_std` backend uses `alloc::collections::BTreeMap`.
- Made core constructors const-ready (`Capture::new`, `Replace::new`,
`NoFinishHook::new`, `InlineChangeOptions::new`, `TextDiff::configure`).
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJidWlsZDpza2lwLWRvY2tlciIsImJ1aWxkOnNraXAtcmVsZWFzZSIsImludGVybmFsIl19-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Addresses the TODO about using a repeated union now that there's
`FromIterator` implementation upstream.
Co-authored-by: Claude <noreply@anthropic.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cgr.dev/chainguard/python | container | digest | `f475abd` → `c2ac411`
|
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJidWlsZDpza2lwLWRvY2tlciIsImJ1aWxkOnNraXAtcmVsZWFzZSIsImludGVybmFsIl19-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
## Summary
This adds a regression test and fix for #18795. I ran the test and
confirmed reproduction before implementing the fix.
The underlying bug here happens only on Windows, and only when
exercising the PEP 514 Python installation registration pathway (which
the integration tests disable by default, since it involves global
mutable state that leaks between tests). The bug itself is just an
imprecision in how we compute the "tag" for the Python entry -- we
weren't including the variant (the `t` in `3.14t`), so two distinct
installs (`3.14` and `3.14t`) would end up with the same registry tag.
For an end user, this surfaces as Python installation entries missing
when running `uv python list`.
One thing to note about the test here is that it _does_ exercise the
Windows registry pathway, which means that it intentionally bypasses the
guardrail around global mutations in the integration tests. This is
"fine" in the sense that there are on other tests observing that state
at the moment, but I think it's a risk in terms of isolation (in the
sense that devs who run our integration tests will actually observe
global changes to their Python installations, plus any failure in the
test means we won't clean up our global changes). Two options there:
- I could try and harden/isolate the registry mutation pathways a bit
more, e.g. we could add `UV_DEV_WINDOWS_REGISTRY_COMPANY_KEY` or
something like that to do some more test-level isolation of HKCU writes.
This still modifies global state, but at least it'll be more namespaced.
- I could remove the integration test entirely, now that we've confirmed
that the fix itself works. This leaves us without coverage, but given
that the fix itself is ~2 lines that might be acceptable.
Fixes#18795.
## Test Plan
This PR includes a regression test.
---------
Signed-off-by: William Woodruff <william@astral.sh>
<!--
Thank you for contributing to uv! To help us out with reviewing, please
consider the following:
- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title?
- Does this pull request include references to any relevant issues?
-->
## Summary
As the title says
## Test Plan
N/A
## Summary
We now show a hint if there's an available version that's excluded and
would satisfy the range (and include that version in the hint).
Previously, we only showed this if _all_ versions were omitted.
For example:
```
× No solution found when resolving dependencies:
╰─▶ Because there are no versions of iniconfig and iniconfig==2.0.0 was published after the exclude newer time, we can conclude that all versions of iniconfig cannot be used.
And because your project depends on iniconfig, we can conclude that your project's requirements are unsatisfiable.
hint: `iniconfig` was filtered by `exclude-newer` to only include packages uploaded before 2006-12-02T02:07:43Z. The latest version satisfying the requirement is v2.0.0, published on 2023-01-07. Consider using `exclude-newer-
package` to override the cutoff for this package.
```
Closes https://github.com/astral-sh/uv/issues/18220.
---------
Co-authored-by: Zanie Blue <contact@zanie.dev>
## Summary
Right now, if you use `uv tool install`, we install the tool itself as
non-editable, but if the tool is part of a workspace, then any workspace
dependencies are (accidentally) installed as editable. This PR modifies
the behavior such that those dependencies are installed as non-editable,
unless `--editable` is provided, in which case the tool itself and any
workspace dependencies respect `--editable`.
Similar logic applies to `--with` and `--with-editable`. If the target
is in a workspace, we propagate the no-editable and yes-editable flags
(respectively) to its members.
Closes https://github.com/astral-sh/uv/issues/16306
## Summary
Some preview flags are set early. Meaning the preview state can change
early on in uv's lifecycle. This means that the global preview must
accommodate for this scenario.
This PR implements that by having the normal preview state have two
initialisation stages.
`set` replaces `init` and allows unbounded new values of `preview` to be
applied to the state as long as it is not finalized.
Once `finalize` is called, the state becomes locked and further calls to
`set` result in an error.
## Test Plan
Existing test coverage.
Since we don't actually need this `LazyLock` to contain data, I think
using a `Once` is slightly more idiomatic. `LazyLock` contains a `Once`
internally, so the actual synchronization that's happening in practice
is the same either way. (I noticed this while looking at how we use
`LazyLock` across our repos.)
## Summary
If we fail to parse a `pyproject.toml` or `uv.toml` due to unsupported
settings, we now do a post-validation check to see if we're _not_
running a required version, so that the error message reflects that
mismatch.
Closes https://github.com/astral-sh/uv/issues/17609.
renovate[bot]