chore(deps): bump uv from 0.9.21 to 0.11.15#210
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
❌ Version Check Failed Please increment... |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Bumps [uv](https://github.com/astral-sh/uv) from 0.9.21 to 0.11.15. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](astral-sh/uv@0.9.21...0.11.15) --- updated-dependencies: - dependency-name: uv dependency-version: 0.11.15 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/uv/uv-0.11.15
branch
from
1057816 to
346a685
Compare
Bundles the nine open Dependabot PRs against the main app into a single uv.lock regeneration. Where Dependabot's target trailed the latest published release, we went to the current latest and re-verified through sfw: - urllib3 2.6.3 -> 2.7.0 (closes #200) - gitpython 3.1.46 -> 3.1.50 (closes #198) - python-dotenv 1.2.1 -> 1.2.2 (closes #190) - pytest 9.0.2 -> 9.0.3 (closes #188) - uv 0.9.21 -> 0.11.17 (closes #210; Dependabot targeted 0.11.15) - cryptography 46.0.5 -> 46.0.7 (closes #181) - pygments 2.19.2 -> 2.20.0 (closes #177) - requests 2.32.5 -> 2.33.0 (closes #175) - idna 3.11 -> 3.15 (closes #205, CVE-2026-45409) idna 3.14 fixed CVE-2026-45409 -- a quadratic-time DoS via oversized inputs that bypassed the earlier CVE-2024-3651 mitigation. The rest are hygiene. All nine final versions verified clean through Socket Firewall (sfw) on the full transitive tree. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Bundles the nine open Dependabot PRs against the main app into a single uv.lock regeneration. Where Dependabot's target trailed the latest published release, we went to the current latest and re-verified through sfw: - urllib3 2.6.3 -> 2.7.0 (closes #200) - gitpython 3.1.46 -> 3.1.50 (closes #198) - python-dotenv 1.2.1 -> 1.2.2 (closes #190) - pytest 9.0.2 -> 9.0.3 (closes #188) - uv 0.9.21 -> 0.11.17 (closes #210; Dependabot targeted 0.11.15) - cryptography 46.0.5 -> 46.0.7 (closes #181) - pygments 2.19.2 -> 2.20.0 (closes #177) - requests 2.32.5 -> 2.33.0 (closes #175) - idna 3.11 -> 3.15 (closes #205, CVE-2026-45409) idna 3.14 fixed CVE-2026-45409 -- a quadratic-time DoS via oversized inputs that bypassed the earlier CVE-2024-3651 mitigation. The rest are hygiene. All nine final versions verified clean through Socket Firewall (sfw) on the full transitive tree. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps uv from 0.9.21 to 0.11.15.
Release notes
Sourced from uv's releases.
... (truncated)
Changelog
Sourced from uv's changelog.
... (truncated)
Commits
3cffe97Fix crates.io publish script lockfile (#19473)de16a7bBump version to 0.11.15 (#19472)cf826ccDisabletest_simultaneous_create_set_then_moveon Linux (#19469)2d566bcAllow retry ofcustom-publish-cratesseparately fromannounce(#19470)0588b8fRun release builds on maturin version bumps in CI (#19466)9a65753Enforce that entry points cannot escape in the scripts directory (#19464)d77d849Revert "Update maturin to v1.13.2 (#19445)" (#19465)5373e96Update Rust crate rustls to v0.23.40 (#19250)fb8d3d4Update Rust crate rustls-pki-types to v1.14.1 (#19251)078480dConfigure maturin and uv souv runcan be used to work on uv itself (#19461)