Bump version to v0.8.6 (#15137)

2025-08-07 16:17:14 +01:00 · 2025-08-07 16:17:14 +01:00 · 329a6b446a
parent abc68fc7c1
commit 329a6b446a
15 changed files with 65 additions and 30 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,41 @@

 <!-- prettier-ignore-start -->

+## 0.8.6
+
+This release contains hardening measures to address differentials in behavior between uv and Python's built-in ZIP parser (CVE-2025-54368).
+
+Prior to this release, attackers could construct ZIP files that would be extracted differently by pip, uv, and other tools. As a result, ZIPs could be constructed that would be considered harmless by (e.g.) scanners, but contain a malicious payload when extracted by uv. As of v0.8.6, uv now applies additional checks to reject such ZIPs.
+
+Thanks to a triage effort with the [Python Security Response Team](https://devguide.python.org/developer-workflow/psrt/) and PyPI maintainers, we were able to determine that these differentials **were not exploited** via PyPI during the time they were present. The PyPI team has also implemented similar checks and now guards against these parsing differentials on upload.
+
+Although the practical risk of exploitation is low, we take the _hypothetical_ risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this advisory a CVE identifier and have given it a "moderate" severity suggestion.
+
+These changes have been validated against the top 15,000 PyPI packages; however, it's plausible that a non-malicious ZIP could be falsely rejected with this additional hardening. As an escape hatch, users who do encounter breaking changes can enable `UV_INSECURE_NO_ZIP_VALIDATION` to restore the previous behavior. If you encounter such a rejection, please file an issue in uv and to the upstream package.
+
+### Security
+
+- Harden ZIP streaming to reject repeated entries and other malformed ZIP files ([#15136](https://github.com/astral-sh/uv/pull/15136))
+
+### Enhancements
+
+- Sync latest Python releases ([#15135](https://github.com/astral-sh/uv/pull/15135))
+
+### Configuration
+
+- Add support for per-project build-time environment variables ([#15095](https://github.com/astral-sh/uv/pull/15095))
+
+### Bug fixes
+
+- Avoid invalid simplification with conflict markers  ([#15041](https://github.com/astral-sh/uv/pull/15041))
+- Respect `UV_HTTP_RETRIES` in `uv publish` ([#15106](https://github.com/astral-sh/uv/pull/15106))
+- Support `UV_NO_EDITABLE` where `--no-editable` is supported ([#15107](https://github.com/astral-sh/uv/pull/15107))
+- Upgrade `cargo-dist` to add `UV_INSTALLER_URL` to PowerShell installer ([#15114](https://github.com/astral-sh/uv/pull/15114))
+- Upgrade `h2` again to avoid `too_many_internal_resets` errors ([#15111](https://github.com/astral-sh/uv/pull/15111))
+
+### Documentation
+
+- Ensure symlink warning is shown ([#15126](https://github.com/astral-sh/uv/pull/15126))

 ## 0.8.5

--- a/Cargo.lock
+++ b/Cargo.lock
@ -4655,7 +4655,7 @@ dependencies = [

 [[package]]
 name = "uv"
-version = "0.8.5"
+version = "0.8.6"
 dependencies = [
 "anstream",
 "anyhow",
@ -4824,7 +4824,7 @@ dependencies = [

 [[package]]
 name = "uv-build"
-version = "0.8.5"
+version = "0.8.6"
 dependencies = [
 "anyhow",
 "uv-build-backend",
@ -6047,7 +6047,7 @@ dependencies = [

 [[package]]
 name = "uv-version"
-version = "0.8.5"
+version = "0.8.6"

 [[package]]
 name = "uv-virtualenv"
--- a/crates/uv-build/Cargo.toml
+++ b/crates/uv-build/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "uv-build"
-version = "0.8.5"
+version = "0.8.6"
 edition = { workspace = true }
 rust-version = { workspace = true }
 homepage = { workspace = true }
--- a/crates/uv-build/pyproject.toml
+++ b/crates/uv-build/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "uv-build"
-version = "0.8.5"
+version = "0.8.6"
 description = "The uv build backend"
 authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }]
 requires-python = ">=3.8"
--- a/crates/uv-version/Cargo.toml
+++ b/crates/uv-version/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "uv-version"
-version = "0.8.5"
+version = "0.8.6"
 edition = { workspace = true }
 rust-version = { workspace = true }
 homepage = { workspace = true }
--- a/crates/uv/Cargo.toml
+++ b/crates/uv/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "uv"
-version = "0.8.5"
+version = "0.8.6"
 edition = { workspace = true }
 rust-version = { workspace = true }
 homepage = { workspace = true }
--- a/docs/concepts/build-backend.md
+++ b/docs/concepts/build-backend.md
@ -31,7 +31,7 @@ To use uv as a build backend in an existing project, add `uv_build` to the

 ```toml title="pyproject.toml"
 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```

--- a/docs/concepts/projects/init.md
+++ b/docs/concepts/projects/init.md
@ -111,7 +111,7 @@ dependencies = []
 example-pkg = "example_pkg:main"

 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```

@ -134,7 +134,7 @@ dependencies = []
 example-pkg = "example_pkg:main"

 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```

@ -195,7 +195,7 @@ requires-python = ">=3.11"
 dependencies = []

 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```

--- a/docs/concepts/projects/workspaces.md
+++ b/docs/concepts/projects/workspaces.md
@ -75,7 +75,7 @@ bird-feeder = { workspace = true }
 members = ["packages/*"]

 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```

@ -106,7 +106,7 @@ tqdm = { git = "https://github.com/tqdm/tqdm" }
 members = ["packages/*"]

 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```

@ -188,7 +188,7 @@ dependencies = ["bird-feeder", "tqdm>=4,<5"]
 bird-feeder = { path = "packages/bird-feeder" }

 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```

--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@ -25,7 +25,7 @@ uv provides a standalone installer to download and install uv:
    Request a specific version by including it in the URL:

    ```console
-    $ curl -LsSf https://astral.sh/uv/0.8.5/install.sh | sh
+    $ curl -LsSf https://astral.sh/uv/0.8.6/install.sh | sh
    ```

 === "Windows"
@ -41,7 +41,7 @@ uv provides a standalone installer to download and install uv:
    Request a specific version by including it in the URL:

    ```pwsh-session
-    PS> powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/0.8.5/install.ps1 | iex"
+    PS> powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/0.8.6/install.ps1 | iex"
    ```

 !!! tip
--- a/docs/guides/integration/aws-lambda.md
+++ b/docs/guides/integration/aws-lambda.md
@ -92,7 +92,7 @@ the second stage, we'll copy this directory over to the final image, omitting th
 other unnecessary files.

 ```dockerfile title="Dockerfile"
-FROM ghcr.io/astral-sh/uv:0.8.5 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.6 AS uv

 # First, bundle the dependencies into the task root.
 FROM public.ecr.aws/lambda/python:3.13 AS builder
@ -334,7 +334,7 @@ And confirm that opening http://127.0.0.1:8000/ in a web browser displays, "Hell
 Finally, we'll update the Dockerfile to include the local library in the deployment package:

 ```dockerfile title="Dockerfile"
-FROM ghcr.io/astral-sh/uv:0.8.5 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.6 AS uv

 # First, bundle the dependencies into the task root.
 FROM public.ecr.aws/lambda/python:3.13 AS builder
--- a/docs/guides/integration/docker.md
+++ b/docs/guides/integration/docker.md
@ -31,7 +31,7 @@ $ docker run --rm -it ghcr.io/astral-sh/uv:debian uv --help
 The following distroless images are available:

 - `ghcr.io/astral-sh/uv:latest`
- `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}`, e.g., `ghcr.io/astral-sh/uv:0.8.5`
+- `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}`, e.g., `ghcr.io/astral-sh/uv:0.8.6`
 - `ghcr.io/astral-sh/uv:{major}.{minor}`, e.g., `ghcr.io/astral-sh/uv:0.8` (the latest patch
  version)

@ -75,7 +75,7 @@ And the following derived images are available:

 As with the distroless image, each derived image is published with uv version tags as
 `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}-{base}` and
-`ghcr.io/astral-sh/uv:{major}.{minor}-{base}`, e.g., `ghcr.io/astral-sh/uv:0.8.5-alpine`.
+`ghcr.io/astral-sh/uv:{major}.{minor}-{base}`, e.g., `ghcr.io/astral-sh/uv:0.8.6-alpine`.

 In addition, starting with `0.8` each derived image also sets `UV_TOOL_BIN_DIR` to `/usr/local/bin`
 to allow `uv tool install` to work as expected with the default user.
@ -116,7 +116,7 @@ Note this requires `curl` to be available.
 In either case, it is best practice to pin to a specific uv version, e.g., with:

 ```dockerfile
-COPY --from=ghcr.io/astral-sh/uv:0.8.5 /uv /uvx /bin/
+COPY --from=ghcr.io/astral-sh/uv:0.8.6 /uv /uvx /bin/
 ```

 !!! tip
@ -134,7 +134,7 @@ COPY --from=ghcr.io/astral-sh/uv:0.8.5 /uv /uvx /bin/
 Or, with the installer:

 ```dockerfile
-ADD https://astral.sh/uv/0.8.5/install.sh /uv-installer.sh
+ADD https://astral.sh/uv/0.8.6/install.sh /uv-installer.sh
 ```

 ### Installing a project
@ -560,5 +560,5 @@ Verified OK
 !!! tip

    These examples use `latest`, but best practice is to verify the attestation for a specific
-    version tag, e.g., `ghcr.io/astral-sh/uv:0.8.5`, or (even better) the specific image digest,
+    version tag, e.g., `ghcr.io/astral-sh/uv:0.8.6`, or (even better) the specific image digest,
    such as `ghcr.io/astral-sh/uv:0.5.27@sha256:5adf09a5a526f380237408032a9308000d14d5947eafa687ad6c6a2476787b4f`.
--- a/docs/guides/integration/github.md
+++ b/docs/guides/integration/github.md
@ -47,7 +47,7 @@ jobs:
        uses: astral-sh/setup-uv@v6
        with:
          # Install a specific version of uv.
-          version: "0.8.5"
+          version: "0.8.6"
 ```

 ## Setting up Python
--- a/docs/guides/integration/pre-commit.md
+++ b/docs/guides/integration/pre-commit.md
@ -19,7 +19,7 @@ To make sure your `uv.lock` file is up to date even if your `pyproject.toml` fil
 repos:
  - repo: https://github.com/astral-sh/uv-pre-commit
    # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
    hooks:
      - id: uv-lock
 ```
@ -30,7 +30,7 @@ To keep a `requirements.txt` file in sync with your `uv.lock` file:
 repos:
  - repo: https://github.com/astral-sh/uv-pre-commit
    # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
    hooks:
      - id: uv-export
 ```
@ -41,7 +41,7 @@ To compile requirements files:
 repos:
  - repo: https://github.com/astral-sh/uv-pre-commit
    # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
    hooks:
      # Compile requirements
      - id: pip-compile
@ -54,7 +54,7 @@ To compile alternative requirements files, modify `args` and `files`:
 repos:
  - repo: https://github.com/astral-sh/uv-pre-commit
    # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
    hooks:
      # Compile requirements
      - id: pip-compile
@ -68,7 +68,7 @@ To run the hook over multiple files at the same time, add additional entries:
 repos:
  - repo: https://github.com/astral-sh/uv-pre-commit
    # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
    hooks:
      # Compile requirements
      - id: pip-compile
--- a/pyproject.toml
+++ b/pyproject.toml
@ -4,7 +4,7 @@ build-backend = "maturin"

 [project]
 name = "uv"
-version = "0.8.5"
+version = "0.8.6"
 description = "An extremely fast Python package and project manager, written in Rust."
 authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }]
 requires-python = ">=3.8"