python/python-uv
SHA256
14
0
Fork 0
forked from pool/python-uv
Code Pull Requests Activity

Sync changes to SLFO-1.2 branch

Browse Source
This commit is contained in:
Adrian Schröter
2025-08-20 12:36:31 +02:00
parent 24e8f3a833
commit 791b706f9f
6 changed files with 1589 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1578
CVE-2025-54368.patch Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
python-uv-0.7.18.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
python-uv-0.8.9.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a3164652c0da2ad7781184f761ccb2153a17b1ef6f00e7a75d59fbd5a2a4dac2
size 4269678

233
python-uv.changes
View File

@@ -1,235 +1,8 @@
-------------------------------------------------------------------
Tue Aug 12 09:30:49 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
Mon Aug 11 09:19:24 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
- update to 0.8.9
* Enhancements
* Add --reinstall flag to uv python upgrade
* Bug fixes
* Include build settings in cache key for registry source distribution lookups
* Avoid creating bin links on uv python upgrade if they don't already exist
* Respect system proxies on macOS and Windows
* Documentation
* Add the 3.14 classifier
-------------------------------------------------------------------
Sat Aug 9 10:32:25 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.8.8
- long changelog at https://github.com/astral-sh/uv/blob/main/CHANGELOG.mode
- fixed CVE-2025-54368 - boo#1247829
-------------------------------------------------------------------
Wed Aug 6 12:36:01 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.8.5
* Enhancements
* Enable uv run with a GitHub Gist
* Improve HTTP response caching log messages
* Show wheel tag hints in install plan
* Support installing additional executables in uv tool install
* Preview features
* Enable extra build dependencies to 'match runtime' versions
* Remove duplicate extra-build-dependencies warnings for uv pip
* Use "option" instead of "setting" in pylock warning
* Respect extra build requires when reading from wheel cache
* Preserve lowered extra build dependencies
* Bug fixes
* Add Python versions to markers implied from wheels
* Ensure consistent indentation when adding dependencies
* Fix handling of python-preference = system when managed interpreters are on the PATH
* Fix symlink preservation in virtual environment creation
* Gracefully handle entrypoint permission errors
* Include wheel hashes from local Simple indexes
* Prefer system Python installations over managed ones when --system is used
* Remove retry wrapper when matching on error kind
* Revert h2 upgrade
* Documentation
* Improve visibility of copy and line separator in dark mode
-------------------------------------------------------------------
Thu Jul 31 15:49:55 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.8.4
* Enhancements
* Improve styling of warning cause chains
* Extend wheel filtering to Android tags
* Perform wheel lockfile filtering based on platform and OS intersection
* Clarify messaging when a new resolution needs to be performed
* Preview features
* Add support for extending package's build dependencies with extra-build-dependencies
* Split preview mode into separate feature flags
* Configuration
* Add support for package specific exclude-newer dates via exclude-newer-package
* Bug fixes
* Avoid invalidating lockfile when path or workspace dependencies define explicit indexes
* Copy entrypoints that have a shebang that differs in python vs python3
* Fix incorrect file permissions in wheel packages
* Update validation for environments and required-environments in uv.toml
* Documentation
* Show uv_build in projects documentation
* Add UV_ prefix to installer environment variables
* Un-hide uv from --build-backend options
* Update documentation for preview flags
-------------------------------------------------------------------
Sun Jul 27 20:33:23 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.8.3:
* Enhancements
* Allow non-standard entrypoint names in uv_build
* Publish riscv64 wheels to PyPI
* Bug fixes
* Avoid writing redacted credentials to tool receipt
* Respect --with versions over base environment versions
* Respect credentials from all defined indexes
* Fix missed stabilization of removal of registry entry during Python uninstall
* Improve concurrency safety of Python downloads into cache
* Documentation
* Fix typos in uv_build reference documentation
* Move the "Cargo" install method further down in docs
-------------------------------------------------------------------
Wed Jul 23 17:58:13 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.8.2
* Configuration
* Add UV_INIT_BUILD_BACKEND
* Rust API
* Expose tls_built_in_root_certs for client
* Enhancements
* Add derivation chains for dependency errors
* Add support for HF_TOKEN
* Allow --config-settings-package to apply configuration settings at the package level
* Create (e.g.) python3.13t executables in uv venv
* Disallow writing symlinks outside the source distribution target directory
* Elide traceback when python -m uv in interrupted with Ctrl-C on Windows
* Match --bounds formatting for uv_build bounds in uv init
* Support extras and dependency_groups markers in PEP 508 grammar
* Support extras and dependency_groups markers on uv pip install and uv pip sync
* Add hint to use uv self version when uv version cannot find a project
* Improve error reporting when removing Python versions from the Windows registry
* Make warnings about masked [tool.uv] fields more precise
* Preview features
* Emit JSON output in uv sync with --quiet
* Bug fixes
* Avoid reading files in the environment bin that are not entrypoints
* Avoid removing empty directories when constructing virtual environments
* Preserve index URL priority order when writing to pyproject.toml
* Allow removal of virtual environments with missing interpreters
* Apply Cache-Control overrides to response, not request headers
* Copy entry points into ephemeral environments to ensure layers are respected
* Workaround Jupyter Lab application directory discovery in ephemeral environments
* Enforce requires-python in pylock.toml
* Fix kebab casing of README variants in build backend
* Improve concurrency resilience of removing Python versions from the Windows registry
* Retry HTTP requests on invalid data errors
* Update virtual environment removal to delete pyvenv.cfg last
* Error on unknown fields in dependency-metadata
-------------------------------------------------------------------
Fri Jul 18 18:14:03 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.8.0
* Breaking changes
* Install Python executables into a directory on the PATH
* Prompt before removing an existing directory in uv venv
* Validate that discovered interpreters meet the Python preferences
* Install dependencies without build systems when they are path sources
* Install dependencies without build systems when they are workspace members
* Bump --python-platform linux to manylinux_2_28
* Remove uv version fallback
* Require --global for removal of the global Python pin
* Support conflicting editable settings across groups
* Make uv_build the default build backend in uv init
* Set default UV_TOOL_BIN_DIR on Docker images
* Update --check to return an exit code of 1
* Use an ephemeral environment for uv run --with invocations
* Restructure the uv venv command output and exit codes
* Default to --workspace when adding subdirectories
* Add missing validations for disallowed uv.toml fields
* Configuration
* Add support for toggling Python bin and registry install options via env vars
* Add UV_COMPILE_BYTECODE_TIMEOUT environment variable
* Allow users to override index cache-control headers
* Add UV_LIBC to override libc selection in multi-libc environment
* Bug fixes
* Fix --all-arches when paired with --only-downloads
* Skip Windows Python interpreters that return a broken MSIX package code
* Warn on invalid uv.toml when provided via direct path
* Improve async signal safety in Windows exception handler
* Documentation
* Mention the revision in the lockfile versioning doc
* Move "Conflicting dependencies" to the "Resolution" page
* Rename "Dependency specifiers" section to exclude PEP 508 reference
* Suggest uv cache clean prior to --reinstall
* Preview features
* Make preview Python registration on Windows non-fatal
* Update preview installation of Python executables to be non-fatal
* Add uv python update-shell
-------------------------------------------------------------------
Tue Jul 15 08:11:49 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.7.21
* Enhancements
* Add --python-platform to uv sync
* Support pre-releases in uv version --bump
* Add -w shorthand for --with
* Add an exception handler on Windows to display information on crash
* Add hint when Python downloads are disabled
* Add UV_HTTP_RETRIES to customize retry counts
* Follow leaf symlinks matched by globs in cache-key
* Support parent path components (..) in globs in cache-key
* Improve cache-key performance
* Preview features
* Add uv sync --output-format json
* Bug fixes
* Do not re-resolve with a new Python version in uv tool if it is incompatible with --python
* Documentation
* Document how to nest dependency groups with include-group
* Fix repeated word in Pyodide doc
* Update CONTRIBUTING.md with instructions to format Markdown files via Docker
* Fix version number for setup-python
-------------------------------------------------------------------
Sun Jul 13 13:50:02 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.7.20
* Enhancements
* Add --workspace flag to uv add
* Add auto-detection for Intel GPUs
* Drop trailing arguments when writing shebangs
* Add debug message when skipping Python downloads
* Add support for declaring multiple modules in namespace packages
* Bug fixes
* Revert normalization of trailing slashes on index URLs
* Fix forced resolution with all extras in uv version
* Fix handling of pre-releases in preferences
* Remove transparent variants in uv-extract to enable retries
* Rust API
* Add method to get packages involved in a NoSolutionError
* Make ErrorTree for NoSolutionError public
* Documentation
* Finish incomplete sentence in pip migration guide
* Remove cache-dependency-glob examples for setup-uv
* Remove uv pip sync suggestion with pyproject.toml
* Update documentation for GitHub to use setup-uv@v6
-------------------------------------------------------------------
Sat Jul 5 00:05:00 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 0.7.19
* The uv build backend is now stable, and considered ready for production use.
* Enhancements
* Ignore Python patch version for --universal pip compile
* Update the tilde version specifier warning to include more context
* Clarify behavior and hint on tool install when no executables are available
* Bug fixes
* Make project and interpreter lock acquisition non-fatal
* Includes sys.prefix in cached environment keys to avoid --with collisions across projects
* Documentation
* Add a migration guide from pip to uv projects
- Add CVE-2025-54368.patch to fix CVE-2025-54368 (bsc#1247829)
- bump vendored dependency slab to 0.4.11 to fix CVE-2025-55159 (bsc#1248005)
-------------------------------------------------------------------
Wed Jul 2 10:33:55 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>

4
python-uv.spec
View File

@@ -33,13 +33,15 @@
%bcond_without libalternatives
%{?sle15_python_module_pythons}
Name: python-uv
Version: 0.8.9
Version: 0.7.18
Release: 0
Summary: A Python package installer and resolver, written in Rust
License: Apache-2.0 OR MIT
URL: https://github.com/astral-sh/uv
Source0: https://github.com/astral-sh/uv/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: vendor.tar.zst
# PATCH-FIX-UPSTREAM CVE-2025-54368.patch bsc#1247829
Patch0: CVE-2025-54368.patch
BuildRequires: %{python_module maturin}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module tomli}

BIN
vendor.tar.zst (Stored with Git LFS)
View File

Binary file not shown.