Sourced from uv's releases.

0.9.5

Release Notes

Released on 2025-10-21.

This release contains an upgrade to astral-tokio-tar, which addresses a vulnerability in tar extraction on malformed archives with mismatching size information between the ustar header and PAX extensions. While the astral-tokio-tar advisory has been graded as "high" due its potential broader impact, the specific impact to uv is low due to a lack of novel attacker capability. Specifically, uv only processes tar archives from source distributions, which already possess the capability for full arbitrary code execution by design, meaning that an attacker gains no additional capabilities through astral-tokio-tar.

Regardless, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this upgrade an advisory: https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9

Security

• Upgrade astral-tokio-tar to 0.5.6 to address a parsing differential (#16387)

Enhancements

• Add required environment marker example to hint (#16244)
• Fix typo in MissingTopLevel warning (#16351)
• Improve 403 Forbidden error message to indicate package may not exist (#16353)
• Add a hint on uv pip install failure if the --system flag is used to select an externally managed interpreter (#16318)

Bug fixes

• Fix backtick escaping for PowerShell (#16307)

Documentation

• Document metadata consistency expectation (#15683)
• Remove outdated aarch64 musl note (#16385)

Install uv 0.9.5

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.5/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.9.5/uv-installer.ps1 | iex"

Download uv 0.9.5

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum

... (truncated)

Sourced from uv's changelog.

0.9.5

Released on 2025-10-21.

This release contains an upgrade to astral-tokio-tar, which addresses a vulnerability in tar extraction on malformed archives with mismatching size information between the ustar header and PAX extensions. While the astral-tokio-tar advisory has been graded as "high" due its potential broader impact, the specific impact to uv is low due to a lack of novel attacker capability. Specifically, uv only processes tar archives from source distributions, which already possess the capability for full arbitrary code execution by design, meaning that an attacker gains no additional capabilities through astral-tokio-tar.

Regardless, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this upgrade an advisory: https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9

Security

• Upgrade astral-tokio-tar to 0.5.6 to address a parsing differential (#16387)

Enhancements

• Add required environment marker example to hint (#16244)
• Fix typo in MissingTopLevel warning (#16351)
• Improve 403 Forbidden error message to indicate package may not exist (#16353)
• Add a hint on uv pip install failure if the --system flag is used to select an externally managed interpreter (#16318)

Bug fixes

• Fix backtick escaping for PowerShell (#16307)

Documentation

• Document metadata consistency expectation (#15683)
• Remove outdated aarch64 musl note (#16385)

0.9.4

Released on 2025-10-17.

Enhancements

• Add CUDA 13.0 support (#16321)
• Add auto-detection for Intel GPU on Windows (#16280)
• Implement display of RFC 9457 HTTP error contexts (#16199)

Bug fixes

• Avoid obfuscating pyx tokens in uv auth token output (#16345)

0.9.3

Released on 2025-10-14.

Python

• Add CPython 3.15.0a1
• Add CPython 3.13.9

... (truncated)

• d5f3933 Bump version to 0.9.5 (#16389)
• 1a53701 Deactivate zizmor due to GitHub ratelimiting (#16390)
• ae45066 deps: bump astral-tokio-tar to 0.5.6 (#16387)
• 38412a6 Remove outdated aarch64 musl note (#16385)
• 2fc5fe2 fix small typos (#16357)
• 17155c4 Fix backtick escaping for PowerShell (#16307)
• 51e8da2 Move parsing http retries to EnvironmentOptions (#16284)
• 29cec24 fix: Add a hint on uv pip install failure if the --system flag is used to...
• ed65c24 Sync latest Python releases (#16246)
• e0fe38e Improve 403 Forbidden error message to indicate package may not exist (#16353)
• Additional commits viewable in compare view

Sourced from nox's releases.

2025.10.16 ⏲️

This is a quick release to make our new dependency, pbs-installer, optional. This is only needed to install Python if you are not using the uv backend. We've also added the time taken to the output when it's over a second.

We'd like to thank the following folks who contributed to this release:

• @​henryiii

Changes:

• Make pbs-installer an optional dependency by @​henryiii in wntrblm/nox#1017
• Include time on longer runs (adds humanize dependency) by @​henryiii in wntrblm/nox#1014

Internal:

• Run conda on Windows/Linux again by @​henryiii in wntrblm/nox#1015

2025.10.14 🥧

This release updates the default for the GitHub Action to target the current range of recommended Pythons (3.10-3.14). There's now a mechanism to control if nox downloads Python (even when not using uv). Several fixes include better free-threading support, custom filenames in script mode, and support for GitHub Actions Windows ARM runners.

We'd like to thank the following folks who contributed to this release:

• @​agriyakhetarpal (first contribution)
• @​henryiii
• @​IvanIsCoding (first contribution)
• @​jbdyn (first contribution)
• @​johnthagen
• @​saucoide
• @​shenxianpeng (first contribution)
• @​Spacetown (first contribution)
• @​zzzeek (first contribution)

Features:

• Add --download-python python option by @​saucoide in wntrblm/nox#989
• Add session.env_dir to get the Path to the environment by @​jbdyn in wntrblm/nox#974

Changes:

• GitHub Action 3.10-3.14 default by @​henryiii in wntrblm/nox#1003
• Percolate the verbose global option to the silent argument for session installation commands, and document it by @​agriyakhetarpal in wntrblm/nox#983
• Disallow abbreviated options by @​henryiii in wntrblm/nox#973
• Log output of failed process by @​jbdyn in wntrblm/nox#974
• Use a separate logging level (SESSION_INFO) for session info instead of warning by @​Spacetown in wntrblm/nox#990

Bugfixes:

• Support scripts with custom names by @​henryiii in wntrblm/nox#1007
• Correctly match free-threaded python versions by @​zzzeek in wntrblm/nox#999
• Let uv replace the directory instead of deleting it ourselves by @​henryiii in wntrblm/nox#981
• Tighten type for venv_backend by @​henryiii in wntrblm/nox#967

... (truncated)

Sourced from nox's changelog.

2025.10.16

This is a quick release to make our new dependency, pbs-installer, optional. This is only needed to install Python if you are not using the uv backend. We've also added the time taken to the output when it's over a second.

We'd like to thank the following folks who contributed to this release:

• @​henryiii

Changes:

• Make pbs-installer an optional dependency by @​henryiii in wntrblm/nox#1017
• Include time on longer runs (adds humanize dependency) by @​henryiii in wntrblm/nox#1014

Internal:

• Run conda on Windows/Linux again by @​henryiii in wntrblm/nox#1015

2025.10.14

This release updates the default for the GitHub Action to target the current range of recommended Pythons (3.10-3.14). There's now a mechanism to control if nox downloads Python (even when not using uv). Several fixes include better free-threading support, custom filenames in script mode, and support for GitHub Actions Windows ARM runners.

We'd like to thank the following folks who contributed to this release:

• @​agriyakhetarpal (first contribution)
• @​henryiii
• @​IvanIsCoding (first contribution)
• @​jbdyn (first contribution)
• @​johnthagen
• @​saucoide
• @​shenxianpeng (first contribution)
• @​Spacetown (first contribution)
• @​zzzeek (first contribution)

Features:

• Add --download-python python option by @​saucoide in wntrblm/nox#989
• Add session.env_dir to get the Path to the environment by @​jbdyn in wntrblm/nox#974

Changes:

• GitHub Action 3.10-3.14 default by @​henryiii in wntrblm/nox#1003
• Percolate the verbose global option to the silent argument for session installation commands, and document it by @​agriyakhetarpal in wntrblm/nox#983
• Disallow abbreviated options by @​henryiii in wntrblm/nox#973
• Log output of failed process by @​jbdyn in wntrblm/nox#974
• Use a separate logging level (SESSION_INFO) for session info instead of warning by @​Spacetown in wntrblm/nox#990

... (truncated)

• d9e5e0c chore: prepare for 2025.10.16 (#1018)
• 7cb2614 fix: include time on longer runs (#1014)
• 4eb0037 fix: make pbs an optional dependency (#1017)
• 572f34a ci: run conda on Windows/Linux again (#1015)
• 449f935 docs: prepare for 2025.10.14 (#1010)
• 6174960 fix: show a warning if a duplicate session is encountered (#1013)
• 1dc6910 chore: remove docs from default dev group (#1012)
• bd6629a fix: validation error for nox.options.keywords (#1011)
• 1a4b11a fix: log output of failed process (#974)
• a0d354c feat: use a separate logging level for session info instead of warning
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions