Skip to content

0.11.28

Latest

Choose a tag to compare

@github-actions github-actions released this 07 Jul 23:14
Immutable release. Only release title and notes can be modified.
ebf0f43

Release Notes

Released on 2026-07-07.

Security

This release updates our ZIP library, astral-async-zip, to v0.0.20, which includes 15 changes that harden our ZIP handling against parser differentials. uv may reject ZIP archives with malformed or ambiguous content that were previously accepted.

See the upstream commits for a full list of changes.

Python

  • Upgrade GraalPy to 25.1.3 (#20069)

Enhancements

  • Improve trace logs for unexpected error chains (#20220)
  • Move lockfile update guidance to a hint (#20219)
  • Preserve indentation for multiline error causes (#20156)
  • Render user errors with their cause chains (#20217)
  • Route final command errors through the printer to respect -q and -qq (#20163)
  • Use standard rendering for uv build errors (#20159)
  • Use standard rendering for tool requirement errors (#20160)

Performance

  • Only compile bytecode for installed distributions in uv pip install (#19914)
  • Avoid allocating URL-safe Git revisions (#20194)
  • Avoid allocating canonical Python request strings (#20193)
  • Avoid allocating custom Astral mirror URLs (#20204)
  • Avoid allocating expanded compatibility tags (#20190)
  • Avoid allocating shell strings that need no escaping (#20196)
  • Avoid allocating static ABI descriptions (#20201)
  • Avoid allocating static Windows executable names (#20200)
  • Avoid allocating static dependency table names (#20199)
  • Avoid allocating static platform triple components (#20195)
  • Avoid allocating static resolver report labels (#20198)
  • Avoid allocating static unavailable-version messages (#20197)
  • Avoid allocating unchanged Python download architectures (#20202)
  • Avoid allocating unchanged paths during case normalization (#20203)
  • Avoid allocations when expanding group conflicts (#20211)
  • Avoid allocations when formatting requirements (#20206)
  • Avoid cloning credential lookup services (#20210)
  • Avoid cloning dry-run distributions (#20209)
  • Avoid cloning owned dependency metadata (#20212)
  • Avoid redundant direct URL clones (#20207)
  • Create metadata version errors lazily (#20205)
  • Optimize expanded tag compatibility checks (#20171)
  • Optimize parsing of single-digit three-part versions (#20118)

Bug fixes

  • Avoid overflow when computing HTTP cache age (#20178)
  • Respect --upgrade when upgrade-package is configured (#19955)
  • Support uv tree in dependency-group-only projects (#20167)
  • Treat cache entries as stale at exact expiration (#20183)

Install uv 0.11.28

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.28/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/uv/releases/download/0.11.28/uv-installer.ps1 | iex"

Download uv 0.11.28

File Platform Checksum
uv-aarch64-apple-darwin.tar.gz Apple Silicon macOS checksum
uv-x86_64-apple-darwin.tar.gz Intel macOS checksum
uv-aarch64-pc-windows-msvc.zip ARM64 Windows checksum
uv-i686-pc-windows-msvc.zip x86 Windows checksum
uv-x86_64-pc-windows-msvc.zip x64 Windows checksum
uv-aarch64-unknown-linux-gnu.tar.gz ARM64 Linux checksum
uv-i686-unknown-linux-gnu.tar.gz x86 Linux checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz PPC64LE Linux checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz RISCV Linux checksum
uv-s390x-unknown-linux-gnu.tar.gz S390x Linux checksum
uv-x86_64-unknown-linux-gnu.tar.gz x64 Linux checksum
uv-armv7-unknown-linux-gnueabihf.tar.gz ARMv7 Linux checksum
uv-aarch64-unknown-linux-musl.tar.gz ARM64 MUSL Linux checksum
uv-i686-unknown-linux-musl.tar.gz x86 MUSL Linux checksum
uv-riscv64gc-unknown-linux-musl.tar.gz RISCV MUSL Linux checksum
uv-x86_64-unknown-linux-musl.tar.gz x64 MUSL Linux checksum
uv-arm-unknown-linux-musleabihf.tar.gz ARMv6 MUSL Linux (Hardfloat) checksum
uv-armv7-unknown-linux-musleabihf.tar.gz ARMv7 MUSL Linux checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo astral-sh/uv

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>