Skip to content

chore(deps): Update dependency uv to v0.11.25#67

Merged
williaby merged 1 commit into
mainfrom
renovate/uv-0.x
Jul 1, 2026
Merged

chore(deps): Update dependency uv to v0.11.25#67
williaby merged 1 commit into
mainfrom
renovate/uv-0.x

Conversation

@williaby

@williaby williaby commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Change Age Confidence
uv (source, changelog) 0.11.240.11.25 age confidence

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes

⚠️ New Package Warning: Verify this is not a typosquatting attempt.

Check: Package age, maintainer history, download counts, and GitHub/PyPI reputation.


Release Notes

astral-sh/uv (uv)

v0.11.25

Compare Source

Released on 2026-06-26.

Security

This release updates our tar library, astral-tokio-tar, to v0.6.3, which includes over 20 changes that harden our tar handling against parser differentials. uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the upstream commits for a full list of changes.

Enhancements
  • Add a full "lockfile" to tool receipts (#​18937)
  • Allow scoped overrides to add dependencies (#​19974)
  • Avoid writing redundant lockfile markers with tool.uv.environments (#​19933)
  • Factor supported environments out of lockfile markers (#​19969)
  • Recommend our own build backend in the build frontend (#​19994)
  • Reject wheels with multiple .dist-info directories (#​19986)
  • Simplify dependency markers under parent reachability (#​19971)
  • Support scoped dependency exclusions (#​19977)
  • Support scoped dependency overrides (#​19970)
  • Explain why files are skipped in registry index parsing (#​19983)
Preview features
  • Add uv workspace list --scripts (#​20009)
  • Support centralised environments in uv venv (#​19912)
  • Use locked ty versions in uv check (#​19884)
  • Add centralized storage of project environments (#​18214)
  • Verify lockfile hashes before reusing a cached ty in uv check (#​19995)
  • Use locked dependency selection for uv check --script (#​19989)
Bug fixes
  • Preserve standalone markers in workspace metadata (#​20011)
  • Reject uv build if the cache dir is enclosed (#​19991)

Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "after 10pm every weekday,before 5am every weekday,every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings July 1, 2026 02:17
@williaby williaby added automated dependencies Pull requests that update a dependency file labels Jul 1, 2026
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 2 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 75c5a7a2-1dd9-4fd5-9849-3ab4ca9acc0c

📥 Commits

Reviewing files that changed from the base of the PR and between 57798c8 and 3c998c3.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/uv-0.x

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

sonarqubecloud Bot commented Jul 1, 2026

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR performs a routine dependency bump in the CI workflow by updating the pinned uv version used during GitHub Actions runs, keeping the workflow reproducible while picking up the latest patch-level fixes.

Changes:

  • Update the CI job’s pip install pin for uv from 0.11.24 to 0.11.25.

@williaby williaby added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit 8f271ed Jul 1, 2026
28 checks passed
@williaby williaby deleted the renovate/uv-0.x branch July 1, 2026 10:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants