chore(deps-dev): bump uv from 0.7.22 to 0.11.6#2825
chore(deps-dev): bump uv from 0.7.22 to 0.11.6#2825dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [uv](https://github.com/astral-sh/uv) from 0.7.22 to 0.11.6. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](astral-sh/uv@0.7.22...0.11.6) --- updated-dependencies: - dependency-name: uv dependency-version: 0.11.6 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dosubot
Bot
added
the
size:XS
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward dev dependency bump with a security fix.
Extended reasoning...
Overview
This PR updates the uv dev dependency in pyproject.toml from 0.7.22 to 0.11.6 and regenerates uv.lock with the corresponding new hashes and wheel entries. Only two files are touched, and the changes are purely mechanical: a version string update and the corresponding lock file regeneration.
Security risks
No new security risks are introduced. In fact, this update resolves a low-severity upstream advisory (GHSA-pjjw-68hj-v9mw) where wheels with malformed RECORD entries could delete arbitrary files on uninstall. Upgrading is the right call.
Level of scrutiny
uv is a dev-only tool (used for package management in the cookbook environment), not a runtime dependency shipped to users. The change is mechanically generated by Dependabot and follows an established pattern. Risk is minimal.
Other factors
No bugs were found by the bug hunting system. The timeline is clean with no outstanding reviewer comments. This is a textbook auto-mergeable Dependabot bump.
Bumps uv from 0.7.22 to 0.11.6.
Release notes
Sourced from uv's releases.
... (truncated)
Changelog
Sourced from uv's changelog.
... (truncated)
Commits
6595080Bump version to 0.11.6 (#18948)7983c7aValidate and heal RECORD during installation (#18943)b38439bAvoiduv cache cleanerrors due to Win32 path normalization (#18856)a0e461aDo not remove files outside the venv on uninstall (#18942)95eaa68Bump version to 0.11.5 (#18930)f6d67d5Improve certificate loading error messages (#18924)39b83c3Addexclude-newerto[[tool.uv.index]](#18839)7924ba5uv audit: add context/warnings for ignored vulnerabilities (#18905)a352ce0Remove the legacy PIP_COMPATIBILITY.md redirect file (#18928)33b6338Normalize persisted fork markers before lock equality checks (#18612)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.