chore(deps): update ghcr.io/astral-sh/uv docker tag to v0.9.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/astral-sh/uv	final	minor	0.8.23 -> 0.9.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

astral-sh/uv (ghcr.io/astral-sh/uv)

v0.9.1

Compare Source

Released on 2025-10-09.

Enhancements

• Log Python choice in uv init (#​16182)
• Fix pylock.toml config conflict error messages (#​16211)

Configuration

• Add UV_UPLOAD_HTTP_TIMEOUT and respect UV_HTTP_TIMEOUT in uploads (#​16040)
• Support UV_WORKING_DIRECTORY for setting --directory (#​16125)

Bug fixes

• Allow missing Scripts directory (#​16206)
• Fix handling of Python requests with pre-releases in ranges (#​16208)
• Preserve comments on version bump (#​16141)
• Retry all HTTP/2 errors (#​16038)
• Treat deleted Windows registry keys as equivalent to missing ones (#​16194)
• Ignore pre-release Python versions when a patch version is requested (#​16210)

Documentation

• Document why uv discards upper bounds on requires-python (#​15927)
• Document uv version environment variables were added in (#​15196)

v0.9.0

Compare Source

Released on 2025-10-07.

Breaking changes

This breaking release is primarily motivated by the release of Python 3.14, which contains some breaking changes (we recommend reading the "What's new in Python 3.14" page). uv may use Python 3.14 in cases where it previously used 3.13, e.g., if you have not pinned your Python version and do not have any Python versions installed on your machine. While we think this is uncommon, we prefer to be cautious. We've included some additional small changes that could break workflows.

There are no breaking changes to uv_build. If you have an upper bound in your [build-system] table, you should update it.

• Python 3.14 is now the default stable version

  The default Python version has changed from 3.13 to 3.14. This applies to Python version installation when no Python version is requested, e.g., uv python install. By default, uv will use the system Python version if present, so this may not cause changes to general use of uv. For example, if Python 3.13 is installed already, then uv venv will use that version. If no Python versions are installed on a machine and automatic downloads are enabled, uv will now use 3.14 instead of 3.13, e.g., for uv venv or uvx python. This change will not affect users who are using a .python-version file to pin to a specific Python version.

• Allow use of free-threaded variants in Python 3.14+ without explicit opt-in (#​16142)

  Previously, free-threaded variants of Python were considered experimental and required explicit opt-in (i.e., with 3.14t) for usage. Now uv will allow use of free-threaded Python 3.14+ interpreters without explicit selection. The GIL-enabled build of Python will still be preferred, e.g., when performing an installation with uv python install 3.14. However, e.g., if a free-threaded interpreter comes before a GIL-enabled build on the PATH, it will be used. This change does not apply to free-threaded Python 3.13 interpreters, which will continue to require opt-in.

• Use Python 3.14 stable Docker images (#​16150)

  Previously, the Python 3.14 images had an -rc suffix, e.g., python:3.14-rc-alpine or
  python:3.14-rc-trixie. Now, the -rc suffix has been removed to match the stable
  upstream images. The -rc images tags will no longer be
  updated. This change should not break existing workflows.

• Upgrade Alpine Docker image to Alpine 3.22

  Previously, the uv:alpine Docker image was based on Alpine 3.21. Now, this image is based on Alpine 3.22. The previous image can be recovered with uv:alpine3.21 and will continue to be updated until a future release.

• Upgrade Debian Docker images to Debian 13 "Trixie"

  Previously, the uv:debian and uv:debian-slim Docker images were based on Debian 12 "Bookworm". Now, these images are based on Debian 13 "Trixie". The previous images can be recovered with uv:bookworm and uv:bookworm-slim and will continue to be updated until a future release.

• Fix incorrect output path when a trailing / is used in uv build (#​15133)

  When using uv build in a workspace, the artifacts are intended to be written to a dist directory in the workspace root. A bug caused workspace root determination to fail when the input path included a trailing / causing the dist directory to be placed in the child directory. This bug has been fixed in this release. For example, uv build child/ is used, the output path will now be in <workspace root>/dist/ rather than <workspace root>/child/dist/.

Python

• Add CPython 3.14.0
• Add CPython 3.13.8

Enhancements

• Don't warn when dependency is constraint by other dependency (#​16149)

Bug fixes

• Fix uv python upgrade / install output when there is a no-op for one request (#​16158)
• Surface pinned-version hint when uv tool upgrade can’t move the tool (#​16081)
• Ban pre-release versions in uv python upgrade requests (#​16160)
• Fix uv python upgrade replacement of installed binaries on pre-release to stable (#​16159)

Documentation

• Update uv pip compile args in layout.md (#​16155)

v0.8.24

Compare Source

Released on 2025-10-06.

Enhancements

• Emit a message on cache clean and prune when lock is held (#​16138)
• Add --force flag for uv cache prune (#​16137)

Documentation

• Fix example of bumping beta version without patch bump (#​16132)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[claude]

Pull Request Review

Summary

This PR updates the uv package manager from version 0.8.22 to 0.8.23 in the Dockerfile. This is a routine dependency patch update managed by Renovate.

Code Quality ✅

• Change is minimal and focused: Single line change updating the Docker image tag
• Follows project conventions: Uses the established pattern of copying uv from the official container image
• No breaking changes: Patch version update should be backwards compatible

Key Changes in uv 0.8.23

Based on the release notes, this version includes:

Enhancements:

• Build s390x on stable Rust compiler
• Added UV_SKIP_WHEEL_FILENAME_CHECK environment variable for edge cases

Bug Fixes:

• Fixed --no-sources handling with already-installed URL distributions
• Improved Python install key validation during managed checks
• Fixed cache control lookups to be robust to username
• Better lock validation check ordering by severity
• Respect --no-color flag on CLI
• Deduplicate marker-specific dependencies in uv pip tree

Analysis

Positive aspects:

1. Bug fixes improve reliability: Several bug fixes related to dependency resolution and caching
2. No breaking changes: All changes are bug fixes and minor enhancements
3. Relevant fixes for Docker: Cache control improvements and installation validation are beneficial in containerized environments
4. Low risk: Patch version updates from a stable tool like uv are typically safe

Considerations:

1. Testing: Ensure CI passes to validate the update works with the current build process
2. Multi-stage build impact: The Dockerfile uses uv in multi-stage builds (builder-slim and builder-all) - both will benefit from the bug fixes

Security ✅

No security concerns. This is an official release from the uv project with no reported security issues.

Performance ✅

No performance regressions expected. The cache control fixes may actually improve performance in some scenarios.

Test Coverage ✅

No changes to test coverage required as this is a tool version update. The existing CI pipeline should validate the update.

Recommendation

✅ APPROVE - This is a safe patch update with bug fixes and no breaking changes. Once CI passes, this can be merged.

The update includes useful bug fixes for dependency management and caching that will benefit the Docker build process. No action items or concerns identified.

---

Review generated by Claude Code following repository conventions from CLAUDE.md

[claude]

Pull Request Review: UV Docker Image Update (0.8.23 → 0.9.1)

Summary

This PR updates the UV package manager Docker image from version 0.8.23 to 0.9.1. This is a minor version bump with some important breaking changes related to Python 3.14.

---

✅ Code Quality Assessment

Positive aspects:

• Clean, minimal change (1 line modified)
• Automated dependency update via Renovate
• Follows semantic versioning expectations

---

⚠️ Key Considerations

1. Breaking Changes in UV 0.9.0

The release includes several breaking changes that could affect this project:

Python 3.14 Default:

• UV now defaults to Python 3.14 (previously 3.13)
• Impact: This project uses Python 3.13.7 (per .python-version file) and the Dockerfile explicitly uses python:3.13-slim-bookworm base image
• Risk Level: ✅ LOW - The project has explicit Python version pinning in both .python-version and Dockerfile, so UV's default won't affect builds

Alpine 3.22 & Debian 13 Trixie Updates:

• Base images for UV's Alpine and Debian images have been upgraded
• Impact: This project uses python:3.13-slim-bookworm (Debian 12), not UV's base images
• Risk Level: ✅ LOW - Not directly affected as project manages its own base image

Free-threaded Python 3.14+ Variants:

• Now allowed without explicit opt-in
• Risk Level: ✅ LOW - Project uses standard CPython 3.13

2. Configuration Changes

New environment variables added:

• UV_UPLOAD_HTTP_TIMEOUT
• UV_WORKING_DIRECTORY

Recommendation: These could be useful for future CI/CD improvements but are not required for this update.

3. Bug Fixes Included

Notable fixes in 0.9.x that benefit this project:

• ✅ Retry all HTTP/2 errors (improves dependency download reliability)
• ✅ Fix handling of Python requests with pre-releases in ranges
• ✅ Preserve comments on version bump
• ✅ Allow missing Scripts directory

---

🔒 Security Assessment

Status: ✅ SAFE

• UV is from a trusted source (Astral.sh, creators of Ruff)
• Using official GHCR images with proper versioning
• No known security vulnerabilities in the upgrade path

---

🧪 Test Coverage

Current Status:

• The Dockerfile change affects build-time dependencies only
• Project's test suite should verify functionality remains intact
• Docker multi-stage builds (both slim and all targets) use identical UV version

Recommendations:

1. ✅ Verify Docker builds complete successfully for both targets
2. ✅ Run full test suite to ensure UV behavior changes don't affect dependency resolution
3. ✅ Test with make all to validate complete CI pipeline

---

⚡ Performance Considerations

Enhancements in 0.9.x:

• Improved error retry logic for HTTP/2
• Better handling of cache locks (--force flag for cache prune)
• Optimized Python version selection

Expected Impact: Minor performance improvements in dependency resolution and installation.

---

📋 Recommendations

Before Merging:

1. ✅ Verify CI passes - Ensure all GitHub Actions workflows complete successfully
2. ✅ Test Docker builds locally (if possible)
3. ✅ Run integration tests - Especially those involving uv sync commands (lines 30, 49, 59, 78 in Dockerfile)

Optional Future Improvements:

• Consider using UV's new UV_WORKING_DIRECTORY environment variable for cleaner CI scripts
• Monitor UV 0.10.x releases for additional optimizations

---

✅ Final Verdict

Recommendation: APPROVE ✅

This is a low-risk dependency update with several beneficial bug fixes and performance improvements. The project's explicit Python version pinning (3.13.7) protects against the Python 3.14 default change.

Merge Safety: High - No code changes required, well-isolated Docker image update.

---

Additional Notes

• The project follows best practices by pinning Python versions explicitly
• UV's modulith architecture aligns well with this project's architectural principles
• Renovate automation is correctly configured and working as expected

Great job maintaining up-to-date dependencies! 🎉

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[claude]

Pull Request Review: UV Docker Tag Update (0.8.23 → 0.9.1)

Summary

This PR updates the uv package manager Docker image from version 0.8.23 to 0.9.1. This is an automated dependency update from Renovate.

---

✅ Positive Findings

1. Minimal Scope: Single line change in Dockerfile - low risk, focused update
2. Satisfies Security Requirements: The pyproject.toml already enforces uv>=0.8.9 due to CVE-2025-54368 (line 217), and version 0.9.1 satisfies this constraint
3. No Breaking API Changes: The release notes show no breaking changes to the build backend or CLI commands used in this project
4. Bug Fixes Included: Version 0.9.1 includes several stability improvements and HTTP/2 error retry logic that could improve build reliability

---

⚠️ Considerations

1. Python 3.14 Default Version Change (Low Risk)

• Impact: UV 0.9.0+ defaults to Python 3.14 instead of 3.13
• Mitigation: This project explicitly uses Python 3.13 in the Dockerfile (FROM python:3.13-slim-bookworm) and in uv sync commands (--python 3.13), so this should not affect builds
• Verification Recommended: Confirm that CI builds still use Python 3.13 as intended

2. Alpine/Debian Base Image Changes (No Impact)

• UV 0.9.0 upgraded its base images (Alpine 3.22, Debian 13 "Trixie")
• This project uses python:3.13-slim-bookworm as the base, not the UV image, so this does not affect the build

3. New Configuration Options (Informational)

The update introduces new environment variables:

• UV_UPLOAD_HTTP_TIMEOUT - for upload timeouts
• UV_WORKING_DIRECTORY - for setting working directory

These are optional and do not require changes.

---

🔍 Code Quality Assessment

Architecture Compliance: ✅ Passes

• Follows the project's Docker multi-stage build pattern
• Maintains separation between builder-slim and builder-all targets
• Preserves all environment variables and build optimizations

Security: ✅ Passes

• Update addresses CVE-2025-54368 (already enforced in pyproject.toml)
• No new security concerns introduced
• Release includes HTTP/2 error retry improvements

Testing: ⚠️ Recommended

• Suggest testing Docker builds locally before merge:

  docker build --target slim -t test:slim .
  docker build --target all -t test:all .

Documentation: ✅ Passes

• Renovate PR body includes comprehensive release notes
• No documentation updates needed for this change

---

📋 Recommendations

1. Merge After CI Passes: This is a low-risk update, but wait for all CI checks to pass
2. Monitor First Deployment: Watch for any unexpected behavior in the first deployment after merge
3. Consider Testing: If time permits, manually verify Docker builds work as expected

---

🎯 Verdict

LGTM with minor recommendation ✅

This is a routine dependency update that improves security and stability. The update is compatible with the project's requirements and poses minimal risk. The explicit Python version pinning in the Dockerfile protects against the Python 3.14 default change.

Recommendation: Approve and merge after CI passes.