chore(deps): bump uv from 0.9.18 to 0.11.6
Type: Pull Request
State: Closed
![dependabot[bot]](https://github.com/dependabot.png){kind=small}
dependabot[bot]Association: Unknown
Comments: 1
(about 2 months ago)
(about 1 month ago)
(about 1 month ago)
dependencies python:uv
Bumps uv from 0.9.18 to 0.11.6.
Release notes
Sourced from uv's releases.
0.11.6
Release Notes
Released on 2026-04-09.
This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.
Bug fixes
- Do not remove files outside the venv on uninstall (#18942)
- Validate and heal wheel
RECORDduring installation (#18943)- Avoid
uv cache cleanerrors due to Win32 path normalization (#18856)Install uv 0.11.6
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.6/uv-installer.sh | shInstall prebuilt binaries via powershell script
powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/uv/releases/download/0.11.6/uv-installer.ps1 | iex"Download uv 0.11.6
... (truncated)
Changelog
Sourced from uv's changelog.
0.11.6
Released on 2026-04-09.
This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.
Bug fixes
- Do not remove files outside the venv on uninstall (#18942)
- Validate and heal wheel
RECORDduring installation (#18943)- Avoid
uv cache cleanerrors due to Win32 path normalization (#18856)0.11.5
Released on 2026-04-08.
Python
- Add CPython 3.13.13, 3.14.4, and 3.15.0a8 (#18908)
Enhancements
- Fix
build_system.requireserror message (#18911)- Remove trailing path separators in path normalization (#18915)
- Improve error messages for unsupported or invalid TLS certificates (#18924)
Preview features
- Add
exclude-newerto[[tool.uv.index]](#18839)uv audit: add context/warnings for ignored vulnerabilities (#18905)Bug fixes
- Normalize persisted fork markers before lock equality checks (#18612)
- Clear junction properly when uninstalling Python versions on Windows (#18815)
- Report error cleanly instead of panicking on TLS certificate error (#18904)
Documentation
- Remove the legacy
PIP_COMPATIBILITY.mdredirect file (#18928)- Fix
uv init example-bare --bareexamples (#18822, #18925)0.11.4
Released on 2026-04-07.
Enhancements
... (truncated)
Commits
6595080Bump version to 0.11.6 (#18948)7983c7aValidate and heal RECORD during installation (#18943)b38439bAvoiduv cache cleanerrors due to Win32 path normalization (#18856)a0e461aDo not remove files outside the venv on uninstall (#18942)95eaa68Bump version to 0.11.5 (#18930)f6d67d5Improve certificate loading error messages (#18924)39b83c3Addexclude-newerto[[tool.uv.index]](#18839)7924ba5uv audit: add context/warnings for ignored vulnerabilities (#18905)a352ce0Remove the legacy PIP_COMPATIBILITY.md redirect file (#18928)33b6338Normalize persisted fork markers before lock equality checks (#18612)- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by cubic
Upgrade uv to 0.11.6 to fix a security issue in wheel uninstall and pick up recent bug fixes. Only the lockfile is updated; no code changes.
- Dependencies
- Bump
uvfrom 0.9.18 to 0.11.6 and updateuv.lock. - Security: resolves GHSA-pjjw-68hj-v9mw (malformed wheel RECORD could delete files outside the venv).
- Bump
Written for commit 8604fcc3e8ff3d1c41f3d0e5dab80d2d4e94d6c7. Summary will update on new commits.
Package Dependencies
Technical Details
| ID: | 15423629 |
| UUID: | 4241410081 |
| Node ID: | PR_kwDON3IiZc7RjebK |
| Host: | GitHub |
| Repository: | StackOneHQ/stackone-ai-python |