Skip to content

chore(deps): update dependency uv to v0.11.15 [security]#663

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/pypi-uv-vulnerability
May 30, 2026
Merged

chore(deps): update dependency uv to v0.11.15 [security]#663
renovate[bot] merged 1 commit into
mainfrom
renovate/pypi-uv-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 29, 2026

This PR contains the following updates:

Package Change Age Confidence
uv (source, changelog) 0.11.100.11.15 age confidence

uv is vulnerable to arbitrary file write through entry point names

GHSA-4gg8-gxpx-9rph

More information

Details

Impact

In versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification (under console_scripts or gui_scripts), uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts directory.

A malicious wheel could use this to place an executable outside of the intended environment, including in a directory already present on the user's PATH. This could shadow or overwrite an existing executable and potentially result in unexpected code execution under the wheel's control, even if the wheel's installation environment was not explicitly added to PATH by the user.

In order to exploit this vulnerability, the attacker must induce their target into installing a malicious wheel.

Patches

uv 0.11.15 and newer address this vulnerability. Users are encouraged to upgrade to 0.11.15.

Workarounds

There is no workaround other than upgrading to uv 0.11.15.

Severity

Medium

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

astral-sh/uv (uv)

v0.11.15

Compare Source

Released on 2026-05-18.

Security
Enhancements
  • Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#​18741)
  • Add support for Azure request signing (#​19421)
  • Apply stricter validation to all wheel filename segments (#​19364)
  • Reject empty strings as an invalid package name (#​19435)
  • Use structured errors for signing authentication failures (#​19422)
Preview
Configuration
  • Respect required-environments in uv pip compile (#​19378)
Performance
  • Avoid parsing JSON manifest when local Python is available (#​19398)
  • Avoid walking nested directories in linker conflict registration (#​19382)
  • Optimize async wheel ZIP writing (#​19383)
  • Fix dead "already trimmed" fast-path in Version::only_release_trimmed (#​19425)
Bug fixes
  • Apply workspace-member [tool.uv.sources] credentials under uv sync --frozen (#​19423)
  • Skip empty directories in uv build outputs (#​19437)
  • Fix Git submodule handling when using relative paths (#​12156)
  • Fix line number reporting in netrc parsing (#​19452)
Documentation
  • Move Bazel auth helper setup into integration guide (#​19392)

v0.11.14

Compare Source

Released on 2026-05-12.

Enhancements
  • Add Astral mirror URL override (#​19206)
  • Ignore top_level.txt entries in uninstall that are not valid Python identifiers (#​19340)
Bug fixes
  • Avoid applying .env files in parent process (#​19343)
  • Filter ANSI codes in logging output (#​19311)
  • Fix uv tree showing extra-conditional deps for packages required without extras (#​19332)
  • Respect build options (e.g., --no-build) during lock validation (#​19366)

v0.11.13

Compare Source

Released on 2026-05-10.

Bug fixes
  • Include data files in editable builds (#​19312)
  • Respect --require-hashes when installing from pylock.toml files (#​19334)
Python
  • Add CPython 3.14.5

v0.11.12

Compare Source

Released on 2026-05-08.

Python
  • Add CPython 3.15.0b1
Enhancements
  • Add --no-editable support to uv pip install (#​19306)
  • Require git refs in URLs to be percent-encoded (#​19320)
Bug fixes
Documentation
  • Fix bug from inconsistent workflow name in GHA-PyPI guide example (#​19309)

v0.11.11

Compare Source

Released on 2026-05-06.

Bug fixes
  • Accept legacy ID format from pre-0.11.9 cache entries (#​19301)

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file labels May 29, 2026
@renovate renovate Bot requested a review from a team as a code owner May 29, 2026 22:01
@renovate renovate Bot added renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min) labels May 29, 2026
@renovate renovate Bot enabled auto-merge (squash) May 29, 2026 22:01
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 29, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot merged commit 90762a6 into main May 30, 2026
37 checks passed
@renovate renovate Bot deleted the renovate/pypi-uv-vulnerability branch May 30, 2026 00:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants