chore(deps): update dependency astral-sh/uv to v0.9.12

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
astral-sh/uv	uses-with	patch	0.9.1 -> 0.9.12

---

Release Notes

astral-sh/uv (astral-sh/uv)

v0.9.12

Compare Source

Released on 2025-11-24.

Enhancements

• Allow --with-requirements to load extensionless inline-metadata scripts (#​16744)
• Collect and upload PEP 740 attestations during uv publish (#​16731)
• Prevent uv export from overwriting pyproject.toml (#​16745)

Documentation

• Add a crates.io README for uv (#​16809)
• Add documentation for intermediate Docker layers in a workspace (#​16787)
• Enumerate workspace members in the uv crate README (#​16811)
• Fix documentation links for crates (#​16801)
• Generate a crates.io README for uv workspace members (#​16812)
• Move the "Export" guide to the projects concept section (#​16835)
• Update the cargo install recommendation to use crates (#​16800)
• Use the word "internal" in crate descriptions (#​16810)

v0.9.11

Compare Source

Released on 2025-11-20.

Python

• Add CPython 3.15.0a2

See the python-build-standalone release notes for details.

Enhancements

• Add SBOM support to uv export (#​16523)
• Publish to crates.io (#​16770)

Preview features

• Add uv workspace list --paths (#​16776)
• Fix the preview warning on uv workspace dir (#​16775)

Bug fixes

• Fix uv init author serialization via toml_edit inline tables (#​16778)
• Fix status messages without TTY (#​16785)
• Preserve end-of-line comment whitespace when editing pyproject.toml (#​16734)
• Disable always-authenticate when running under Dependabot (#​16773)

Documentation

• Document the new behavior for free-threaded python versions (#​16781)
• Improve note about build system in publish guide (#​16788)
• Move do not upload publish note out of the guide into concepts (#​16789)

v0.9.10

Compare Source

Released on 2025-11-17.

Enhancements

• Add support for SSL_CERT_DIR (#​16473)
• Enforce UTF‑8-encoded license files during uv build (#​16699)
• Error when a project.license-files glob matches nothing (#​16697)
• pip install --target (and sync) install Python if necessary (#​16694)
• Account for python_downloads_json_url in pre-release Python version warnings (#​16737)
• Support HTTP/HTTPS URLs in uv python --python-downloads-json-url (#​16542)

Preview features

• Add support for --upgrade in uv python install (#​16676)
• Fix handling of python install --default for pre-release Python versions (#​16706)
• Add uv workspace list to list workspace members (#​16691)

Bug fixes

• Don't check file URLs for ambiguously parsed credentials (#​16759)

Documentation

• Add a "storage" reference document (#​15954)

v0.9.9

Compare Source

Released on 2025-11-12.

Deprecations

• Deprecate use of --project in uv init (#​16674)

Enhancements

• Add iOS support to Python interpreter discovery (#​16686)
• Reject ambiguously parsed URLs (#​16622)
• Allow explicit values in uv version --bump (#​16555)
• Warn on use of managed pre-release Python versions when a stable version is available (#​16619)
• Allow signing trampolines on Windows by using .rcdata to store metadata (#​15068)
• Add --only-emit-workspace and similar variants to uv export (#​16681)

Preview features

• Add uv workspace dir command (#​16678)
• Add uv workspace metadata command (#​16516)

Configuration

• Add UV_NO_DEFAULT_GROUPS environment variable (#​16645)

Bug fixes

• Remove torch-model-archiver and torch-tb-profiler from PyTorch backend (#​16655)
• Fix Pixi environment detection (#​16585)

Documentation

• Fix CMD path in FastAPI Dockerfile (#​16701)

v0.9.8

Compare Source

Released on 2025-11-07.

Enhancements

• Accept multiple packages in uv export (#​16603)
• Accept multiple packages in uv sync (#​16543)
• Add a uv cache size command (#​16032)
• Add prerelease guidance for build-system resolution failures (#​16550)
• Allow Python requests to include +gil to require a GIL-enabled interpreter (#​16537)
• Avoid pluralizing 'retry' for single value (#​16535)
• Enable first-class dependency exclusions (#​16528)
• Fix inclusive constraints on available package versions in resolver errors (#​16629)
• Improve uv init error for invalid directory names (#​16554)
• Show help on uv build -h (#​16632)
• Include the Python variant suffix in "Using Python ..." messages (#​16536)
• Log most recently modified file for cache-keys (#​16338)
• Update Docker builds to use nightly Rust toolchain with musl v1.2.5 (#​16584)

Configuration

• Expose UV_NO_GROUP as an environment variable (#​16529)
• Add UV_NO_SOURCES as an environment variable (#​15883)

Bug fixes

• Allow --check and --locked to be used together in uv lock (#​16538)
• Allow for unnormalized names in the METADATA file (#​16547) (#​16548)
• Fix missing value_type for default-groups in schema (#​16575)
• Respect multi-GPU outputs in nvidia-smi (#​15460)
• Fix DNS lookup errors in Docker containers (#​8450)

Documentation

• Fix typo in uv tool list doc (#​16625)
• Note uv pip list name normalization in docs (#​13210)

Other changes

• Update Rust toolchain to 1.91 and MSRV to 1.89 (#​16531)

v0.9.7

Compare Source

Released on 2025-10-30.

Enhancements

• Add Windows x86-32 emulation support to interpreter architecture checks (#​13475)
• Improve readability of progress bars (#​16509)
• Add GitHub attestations for uv release artifacts (#​11357)

Bug fixes

• Drop terminal coloring from uv auth token output (#​16504)
• Don't use UV_LOCKED to enable --check flag (#​16521)

v0.9.6

Compare Source

Released on 2025-10-29.

This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details.

Security

• Address ZIP parsing differentials (GHSA-pqhf-p39g-3x64)

Python

• Upgrade GraalPy to 25.0.1 (#​16401)

Enhancements

• Add --clear to uv build to remove old build artifacts (#​16371)
• Add --no-create-gitignore to uv build (#​16369)
• Do not error when a virtual environment directory cannot be removed due to a busy error (#​16394)
• Improve hint on pip install --system when externally managed (#​16392)
• Running uv lock --check with outdated lockfile will print that --check was passed, instead of --locked (#​16322)
• Update uv init template for Maturin (#​16449)
• Improve ordering of Python sources in logs (#​16463)
• Restore DockerHub release images and annotations (#​16441)

Bug fixes

• Check for matching Python implementation during uv python upgrade (#​16420)
• Deterministically order --find-links distributions (#​16446)
• Don't panic in uv export --frozen when the lockfile is outdated (#​16407)
• Fix root of uv tree when --package is used with circular dependencies (#​15908)
• Show package list with pip freeze --quiet (#​16491)
• Limit uv auth login pyx.dev retries to 60s (#​16498)
• Add an empty group with uv add --group ... -r ... (#​16490)

Documentation

• Update docs for maturin build backend init template (#​16469)
• Update docs to reflect previous changes to signal forwarding semantics (#​16430)
• Add instructions for installing via MacPorts (#​16039)

v0.9.5

Compare Source

Released on 2025-10-21.

This release contains an upgrade to astral-tokio-tar, which addresses a vulnerability in tar extraction on malformed archives with mismatching size information between the ustar header and PAX extensions. While the astral-tokio-tar advisory has been graded as "high" due its potential broader impact, the specific impact to uv is low due to a lack of novel attacker capability. Specifically, uv only processes tar archives from source distributions, which already possess the capability for full arbitrary code execution by design, meaning that an attacker gains no additional capabilities through astral-tokio-tar.

Regardless, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this upgrade an advisory: GHSA-w476-p2h3-79g9

Security

• Upgrade astral-tokio-tar to 0.5.6 to address a parsing differential (#​16387)

Enhancements

• Add required environment marker example to hint (#​16244)
• Fix typo in MissingTopLevel warning (#​16351)
• Improve 403 Forbidden error message to indicate package may not exist (#​16353)
• Add a hint on uv pip install failure if the --system flag is used to select an externally managed interpreter (#​16318)

Bug fixes

• Fix backtick escaping for PowerShell (#​16307)

Documentation

• Document metadata consistency expectation (#​15683)
• Remove outdated aarch64 musl note (#​16385)

v0.9.4

Compare Source

Released on 2025-10-17.

Enhancements

• Add CUDA 13.0 support (#​16321)
• Add auto-detection for Intel GPU on Windows (#​16280)
• Implement display of RFC 9457 HTTP error contexts (#​16199)

Bug fixes

• Avoid obfuscating pyx tokens in uv auth token output (#​16345)

v0.9.3

Compare Source

Released on 2025-10-14.

Python

• Add CPython 3.15.0a1
• Add CPython 3.13.9

Enhancements

• Obfuscate secret token values in logs (#​16164)

Bug fixes

• Fix workspace with relative pathing (#​16296)

v0.9.2

Compare Source

Released on 2025-10-10.

Python

• Add CPython 3.9.24.
• Add CPython 3.10.19.
• Add CPython 3.11.14.
• Add CPython 3.12.12.

Enhancements

• Avoid inferring check URLs for pyx in uv publish (#​16234)
• Add uv tool list --show-python (#​15814)

Documentation

• Add missing "added in" to new environment variables in reference (#​16217)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.