Skip to content

Bump uv from 0.11.2 to 0.11.6#226

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/uv-0.11.6
Open

Bump uv from 0.11.2 to 0.11.6#226
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/uv-0.11.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 10, 2026
edited
Loading

Bumps uv from 0.11.2 to 0.11.6.

Release notes

Sourced from uv's releases.

0.11.6

Release Notes

Released on 2026-04-09.

This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.

Bug fixes

  • Do not remove files outside the venv on uninstall (#18942)
  • Validate and heal wheel RECORD during installation (#18943)
  • Avoid uv cache clean errors due to Win32 path normalization (#18856)

Install uv 0.11.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.6/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/uv/releases/download/0.11.6/uv-installer.ps1 | iex"

Download uv 0.11.6

File Platform Checksum
uv-aarch64-apple-darwin.tar.gz Apple Silicon macOS checksum
uv-x86_64-apple-darwin.tar.gz Intel macOS checksum
uv-aarch64-pc-windows-msvc.zip ARM64 Windows checksum
uv-i686-pc-windows-msvc.zip x86 Windows checksum
uv-x86_64-pc-windows-msvc.zip x64 Windows checksum
uv-aarch64-unknown-linux-gnu.tar.gz ARM64 Linux checksum
uv-i686-unknown-linux-gnu.tar.gz x86 Linux checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz PPC64LE Linux checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz RISCV Linux checksum
uv-s390x-unknown-linux-gnu.tar.gz S390x Linux checksum
uv-x86_64-unknown-linux-gnu.tar.gz x64 Linux checksum
uv-armv7-unknown-linux-gnueabihf.tar.gz ARMv7 Linux checksum
uv-aarch64-unknown-linux-musl.tar.gz ARM64 MUSL Linux checksum
uv-i686-unknown-linux-musl.tar.gz x86 MUSL Linux checksum
uv-riscv64gc-unknown-linux-musl.tar.gz RISCV MUSL Linux checksum
uv-x86_64-unknown-linux-musl.tar.gz x64 MUSL Linux checksum
uv-arm-unknown-linux-musleabihf.tar.gz ARMv6 MUSL Linux (Hardfloat) checksum
uv-armv7-unknown-linux-musleabihf.tar.gz ARMv7 MUSL Linux checksum

... (truncated)

Changelog

Sourced from uv's changelog.

0.11.6

Released on 2026-04-09.

This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.

Bug fixes

  • Do not remove files outside the venv on uninstall (#18942)
  • Validate and heal wheel RECORD during installation (#18943)
  • Avoid uv cache clean errors due to Win32 path normalization (#18856)

0.11.5

Released on 2026-04-08.

Python

  • Add CPython 3.13.13, 3.14.4, and 3.15.0a8 (#18908)

Enhancements

  • Fix build_system.requires error message (#18911)
  • Remove trailing path separators in path normalization (#18915)
  • Improve error messages for unsupported or invalid TLS certificates (#18924)

Preview features

  • Add exclude-newer to [[tool.uv.index]] (#18839)
  • uv audit: add context/warnings for ignored vulnerabilities (#18905)

Bug fixes

  • Normalize persisted fork markers before lock equality checks (#18612)
  • Clear junction properly when uninstalling Python versions on Windows (#18815)
  • Report error cleanly instead of panicking on TLS certificate error (#18904)

Documentation

  • Remove the legacy PIP_COMPATIBILITY.md redirect file (#18928)
  • Fix uv init example-bare --bare examples (#18822, #18925)

0.11.4

Released on 2026-04-07.

Enhancements

  • Add support for --upgrade-group (#18266)
  • Merge repeated archive URL hashes by version ID (#18841)

... (truncated)

Commits

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 10, 2026
@dependabot dependabot bot requested a review from a team as a code owner April 10, 2026 19:42
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 10, 2026
edited
Loading

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 2678c42.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

uv.lock

PackageVersionLicenseIssue Type
uv0.11.6NullUnknown License
Denied Licenses: GPL-3.0-only, AGPL-3.0-only

OpenSSF Scorecard

PackageVersionScoreDetails
pip/uv 0.11.6 UnknownUnknown

Scanned Files

  • uv.lock

biswapm added a commit that referenced this pull request Apr 12, 2026
@biswapm
Refactor token acquisition to TokenAcquirer strategy pattern
31a6685 
Replace separate _attach_dev_tokens() / _attach_per_audience_tokens(auth, handler, ctx)
with a unified _attach_per_audience_tokens(servers, acquire: TokenAcquirer) that accepts
a pluggable async callable — aligning with Node.js PR #226.

- Add TokenAcquirer type alias: Callable[[MCPServerConfig, str], Awaitable[Optional[str]]]
- Add _create_dev_token_acquirer(): reads BEARER_TOKEN_<MCP_SERVER_NAME_UPPER> (now using
  mcp_server_name, not mcp_server_unique_name, to match Node.js) with BEARER_TOKEN fallback
- Add _create_obo_token_acquirer(): performs OBO exchange per unique audience scope
- Remove _attach_dev_tokens() entirely
- list_tool_servers(): dev branch uses dev acquirer; prod branch uses OBO acquirer when
  auth context present; both paths go through the unified _attach_per_audience_tokens()
- Update TestAttachPerAudienceTokens tests to use _create_obo_token_acquirer() helper
@gwharris7 gwharris7 enabled auto-merge (squash) April 13, 2026 18:52
@dependabot
Bump uv from 0.11.2 to 0.11.6
2678c42 
Bumps [uv](https://github.com/astral-sh/uv) from 0.11.2 to 0.11.6.
- [Release notes](https://github.com/astral-sh/uv/releases)
- [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md)
- [Commits](astral-sh/uv@0.11.2...0.11.6)

---
updated-dependencies:
- dependency-name: uv
  dependency-version: 0.11.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/uv/uv-0.11.6 branch from 31594a6 to 2678c42 Compare April 13, 2026 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gwharris7 gwharris7 gwharris7 approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gwharris7