[pull] main from TryGhost:main#1040
Merged
Merged
Conversation
ref https://linear.app/ghost/issue/BER-3484 Shows "Purchased a gift subscription" with the payment amount in the admin activity feed by reading directly from the gifts table. The event type is named `gift_purchase_event` to allow `gift_redemption_event` later
Agent skills are starting to settle as a pattern used by many agents. The approach set out in this commit uses the `npx skills` CLI from Vercel to init custom skills in the repo, using the more standard `.agent/skills` folder as the default. Symlinks are added for `.claude/skills` to keep compatibility with the main outlier. Using `npx skills` gives us a skills-lock.json file with some metadata about skills, so we can determine custom vs installed skills, and supports keeping them up to date. This approach will also allow us to install custom skills from this repo on other repos. The last thing this PR achieves is a commit skill, which will hopefully help agents to follow existing commit conventions more readily. This is an example of the pattern being set out.
closes [NY-1211](https://linear.app/ghost/issue/NY-1211/remove-separator-from-welcome-email-header) - removes top divider from welcome email preview, because it was kind of confusing - it seemed like it was part of the header - there are still other dividers in the preview to be able to see changes to divider color - also cleans up a class that could be `text-body-sm` instead of `text-[1.3rem]`
towards https://linear.app/ghost/issue/NY-1196  This adds a hidden UI for drip campaigns to the admin panel. The UI is ugly and simplistic, but should be good enough to start wiring things up to new API endpoints. (These endpoints don't exist yet!)
no ref This is a security measure that we should do for all our actions.
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@tailwindcss/postcss](https://tailwindcss.com) ([source](https://redirect.github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss)) | devDependencies | pin | [`^4` → `4.2.1`](https://renovatebot.com/diffs/npm/@tailwindcss%2fpostcss/4.2.1/4.2.1) | | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | pinDigest | → `d3f86a1` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | pinDigest | → `ea165f8` | | [asdf-vm/actions](https://redirect.github.com/asdf-vm/actions) | action | pinDigest | → `b7bcd02` | | axllent/mailpit | | pinDigest | → `0b5c5f7` | | caddy | final | pinDigest | → `fce4f15` | | [codecov/codecov-action](https://redirect.github.com/codecov/codecov-action) | action | pinDigest | → `75cd116` | | [docker/build-push-action](https://redirect.github.com/docker/build-push-action) | action | pinDigest | → `10e90e3` | | [docker/dockerfile](https://redirect.github.com/moby/buildkit) | syntax | pinDigest | → `7eca945` | | [docker/login-action](https://redirect.github.com/docker/login-action) | action | pinDigest | → `c94ce9f` | | [docker/metadata-action](https://redirect.github.com/docker/metadata-action) | action | pinDigest | → `c299e40` | | [docker/setup-buildx-action](https://redirect.github.com/docker/setup-buildx-action) | action | pinDigest | → `8d2750c` | | [gacts/purge-jsdelivr-cache](https://redirect.github.com/gacts/purge-jsdelivr-cache) | action | pinDigest | → `8d92aea` | | [ghcr.io/astral-sh/uv](https://redirect.github.com/astral-sh/uv) | final | pinDigest | → `4de5495` | | minio/mc | | pinDigest | → `a7fe349` | | minio/minio | | pinDigest | → `149fdd7` | | mysql | | pinDigest | → `679e7e9` | | [node](https://redirect.github.com/nodejs/node) | final | pinDigest | → `8b1d14e` | | [node](https://redirect.github.com/nodejs/node) | final | pinDigest | → `752ea8a` | | [peter-evans/repository-dispatch](https://redirect.github.com/peter-evans/repository-dispatch) | action | pinDigest | → `ff45666` | | redis | | pinDigest | → `352c1fd` | | [slackapi/slack-github-action](https://redirect.github.com/slackapi/slack-github-action) | action | pinDigest | → `91efab1` | | stripe/stripe-cli | | pinDigest | → `a7a01c0` | | [szenius/set-timezone](https://redirect.github.com/szenius/set-timezone) | action | pinDigest | → `1f9716b` | | [tailwindcss](https://tailwindcss.com) ([source](https://redirect.github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss)) | devDependencies | pin | [`^4` → `4.2.1`](https://renovatebot.com/diffs/npm/tailwindcss/4.2.1/4.2.1) | | tinybirdco/tinybird-local | service | pinDigest | → `a652699` | | tinybirdco/tinybird-local | | pinDigest | → `a652699` | | [tryghost/actions](https://redirect.github.com/tryghost/actions) | action | pinDigest | → `0cbdcbe` |⚠️ Renovate's pin functionality [does not currently](https://redirect.github.com/renovatebot/renovate/issues/40288) wire in the release age for a package, so the Minimum Release Age checks can apply. You will need to manually validate the Minimum Release Age for these package(s). Add the preset `:preserveSemverRanges` to your config if you don't want to pin your dependencies. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - Only on Sunday and Saturday ( * * * * 0,6 ), Between 12:00 AM and 12:59 PM, only on Monday ( * 0-12 * * 1 ), Between 10:00 PM and 11:59 PM, Monday through Friday ( * 22-23 * * 1-5 ), Between 12:00 AM and 04:59 AM, Tuesday through Saturday ( * 0-4 * * 2-6 ) in timezone Etc/UTC. 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/TryGhost/Ghost). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | python | stage | digest | `27f90d7` → `f1927c7` | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - Only on Sunday and Saturday ( * * * * 0,6 ), Between 12:00 AM and 12:59 PM, only on Monday ( * 0-12 * * 1 ), Between 10:00 PM and 11:59 PM, Monday through Friday ( * 22-23 * * 1-5 ), Between 12:00 AM and 04:59 AM, Tuesday through Saturday ( * 0-4 * * 2-6 ) in timezone Etc/UTC. 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/TryGhost/Ghost). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
ref https://linear.app/ghost/issue/BER-3476 ## Summary This PR adds a gift redemption preflight endpoint for Portal: `GET /members/api/gifts/:token/redeem/` The endpoint is read-only and answers one question before any redemption write happens: can this token be redeemed right now by the current visitor? It supports both anonymous visitors and logged-in members. If the token is redeemable, it returns the gift details Portal needs to render the redemption screen. If not, it returns a standard members API error response with a user-facing message. The endpoint validates gift redeemability in this order: 1. Gift subscriptions labs flag is enabled 2. A gift exists for the token 3. The gift has not already been redeemed 4. The gift has not expired 5. If a member is logged in, they do not already have active access 6. If all checks pass, the gift is considered redeemable and the endpoint returns the gift details. ## API contract `GET /members/api/gifts/:token/redeem/` Success response: ``` { "gifts": [ { "token": "gift-token-123", "cadence": "year", "duration": 1, "currency": "usd", "amount": 5000, "expires_at": "2030-01-01T00:00:00.000Z", "tier": { "id": "tier_123", "name": "Bronze", "description": "Tier description", "benefits": [ "Benefit 1", "Benefit 2" ] } } ] } ``` Error response: ``` { "errors": [ { "message": "This gift has expired.", "type": "BadRequestError" } ] } ``` Expected error messages include: - `"Gift not found."` - `"This gift has already been redeemed."` - `"This gift has expired."` - `"You already have an active subscription."` - `"Gift subscriptions are not enabled on this site."` ## Portal Flow - A visitor opens `#/portal/gift/redeem/:token` - Portal calls `GET /members/api/gifts/:token/redeem/` - The gift service validates the token and current member eligibility - If valid, the endpoint returns the gift payload in the standard members API envelope - Portal reads response and renders the redemption UI - If invalid, Portal surfaces the API error message through the existing notification flow
ref https://linear.app/ghost/issue/BER-3472 Added `gift` status to member status enum so that the system can track and distinguish members with a gift subscription
ref https://linear.app/ghost/issue/BER-3484 Added additional e2e tests covering gift subscription purchase flow
ref #27144 Renovate was rebasing automerge-eligible branches on every run, which kept cancelling long-running CI jobs (e.g. Playwright setup) whenever main moved during the working day. The existing automergeSchedule only limited when Renovate could finalise a merge, not when it could run or rebase branches. Add a matching Renovate schedule that restricts runs to the same weekend, Monday morning, weekday evening and early morning windows as automerge, with each block starting one hour earlier so Renovate has time to rebase branches and refresh PRs before automerge is eligible to act on them. This keeps rebase churn out of the normal working day while still letting Renovate finish everything it needs to do before each automerge window opens.
closes https://linear.app/ghost/issue/NY-1188 ref #27185 This removes the old automated emails table now that we aren't using it anymore.
…#27168) ref https://github.com/TryGhost/Ghost/actions/runs/24012086446/job/70025449313 The global disableNetwork() helper stubs dnsPromises.lookup via sinon during beforeAll to prevent real DNS lookups in tests. However, many tests call sinon.restore() in their afterEach, which nukes all sinon stubs — including the DNS one. Subsequent tests then perform real DNS lookups against nocked domains (e.g. external.com), which can be slow or unreliable on CI, causing intermittent 2000ms timeouts. This was the root cause of the flaky ExternalMediaInliner CDN storage adapter test failures. The fix re-applies disableNetwork() in the global mocha root afterEach hook, which runs after every test's own afterEach. This ensures DNS stubs are always restored after sinon.restore() removes them. Three tests that were redundantly re-stubbing DNS with the same fake values are cleaned up, and one test that was silently depending on the stub being absent (to get a real private-IP DNS result) is updated to explicitly stub the behavior it needs.
> ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ghcr.io/astral-sh/uv](https://redirect.github.com/astral-sh/uv) | final | minor | `0.8.13` → `0.11.4` | --- ### Release Notes <details> <summary>astral-sh/uv (ghcr.io/astral-sh/uv)</summary> ### [`v0.11.4`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0114) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.11.3...0.11.4) Released on 2026-04-07. ##### Python - Add CPython 3.13.13, 3.14.4, and 3.15.0a8 ([#​18908](https://redirect.github.com/astral-sh/uv/pull/18908)) ##### Enhancements - Add support for `--upgrade-group` ([#​18266](https://redirect.github.com/astral-sh/uv/pull/18266)) - Merge repeated archive URL hashes by version ID ([#​18841](https://redirect.github.com/astral-sh/uv/pull/18841)) - Require all direct URL hash algorithms to match ([#​18842](https://redirect.github.com/astral-sh/uv/pull/18842)) ##### Bug fixes - Avoid panics in environment finding via cycle detection ([#​18828](https://redirect.github.com/astral-sh/uv/pull/18828)) - Enforce direct URL hashes for `pyproject.toml` dependencies ([#​18786](https://redirect.github.com/astral-sh/uv/pull/18786)) - Error on `--locked` and `--frozen` when script lockfile is missing ([#​18832](https://redirect.github.com/astral-sh/uv/pull/18832)) - Fix `uv export` extra resolution for workspace member and conflicting extras ([#​18888](https://redirect.github.com/astral-sh/uv/pull/18888)) - Include conflicts defined in virtual workspace root ([#​18886](https://redirect.github.com/astral-sh/uv/pull/18886)) - Recompute relative `exclude-newer` values during `uv tree --outdated` ([#​18899](https://redirect.github.com/astral-sh/uv/pull/18899)) - Respect `--exclude-newer` in `uv tool list --outdated` ([#​18861](https://redirect.github.com/astral-sh/uv/pull/18861)) - Sort by comparator to break specifier ties ([#​18850](https://redirect.github.com/astral-sh/uv/pull/18850)) - Store relative timestamps in tool receipts ([#​18901](https://redirect.github.com/astral-sh/uv/pull/18901)) - Track newly-activated extras when determining conflicts ([#​18852](https://redirect.github.com/astral-sh/uv/pull/18852)) - Patch `Cargo.lock` in `uv-build` source distributions ([#​18831](https://redirect.github.com/astral-sh/uv/pull/18831)) ##### Documentation - Clarify that `--exclude-newer` compares artifact upload times ([#​18830](https://redirect.github.com/astral-sh/uv/pull/18830)) ### [`v0.11.3`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0113) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.11.2...0.11.3) Released on 2026-04-01. ##### Enhancements - Add progress bar for hashing phase in uv publish ([#​18752](https://redirect.github.com/astral-sh/uv/pull/18752)) - Add support for ROCm 7.2 ([#​18730](https://redirect.github.com/astral-sh/uv/pull/18730)) - Emit abi3t tags for every abi3 version ([#​18777](https://redirect.github.com/astral-sh/uv/pull/18777)) - Expand `uv workspace metadata` with dependency information from the lock ([#​18356](https://redirect.github.com/astral-sh/uv/pull/18356)) - Implement support for PEP 803 ([#​18767](https://redirect.github.com/astral-sh/uv/pull/18767)) - Pretty-print platform in built wheel errors ([#​18738](https://redirect.github.com/astral-sh/uv/pull/18738)) - Publish installers to `/installers/uv/latest` on the mirror ([#​18725](https://redirect.github.com/astral-sh/uv/pull/18725)) - Show free-threaded Python in built-wheel errors ([#​18740](https://redirect.github.com/astral-sh/uv/pull/18740)) ##### Preview features - Add `--ignore` and `--ignore-until-fixed` to `uv audit` ([#​18737](https://redirect.github.com/astral-sh/uv/pull/18737)) ##### Bug fixes - Bump simple API cache ([#​18797](https://redirect.github.com/astral-sh/uv/pull/18797)) - Don't drop `blake2b` hashes ([#​18794](https://redirect.github.com/astral-sh/uv/pull/18794)) - Handle broken range request implementations ([#​18780](https://redirect.github.com/astral-sh/uv/pull/18780)) - Remove `powerpc64-unknown-linux-gnu` from release build targets ([#​18800](https://redirect.github.com/astral-sh/uv/pull/18800)) - Respect dependency metadata overrides in `uv pip check` ([#​18742](https://redirect.github.com/astral-sh/uv/pull/18742)) - Support debug CPython ABI tags in environment compatibility ([#​18739](https://redirect.github.com/astral-sh/uv/pull/18739)) ##### Documentation - Document `false` opt-out for `exclude-newer-package` ([#​18768](https://redirect.github.com/astral-sh/uv/pull/18768), [#​18803](https://redirect.github.com/astral-sh/uv/pull/18803)) ### [`v0.11.2`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0112) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.11.1...0.11.2) Released on 2026-03-26. ##### Enhancements - Add a dedicated Windows PE editing error ([#​18710](https://redirect.github.com/astral-sh/uv/pull/18710)) - Make `uv self update` fetch the manifest from the mirror first ([#​18679](https://redirect.github.com/astral-sh/uv/pull/18679)) - Use uv reqwest client for self update ([#​17982](https://redirect.github.com/astral-sh/uv/pull/17982)) - Show `uv self update` success and failure messages with `--quiet` ([#​18645](https://redirect.github.com/astral-sh/uv/pull/18645)) ##### Preview features - Evaluate extras and groups when determining auditable packages ([#​18511](https://redirect.github.com/astral-sh/uv/pull/18511)) ##### Bug fixes - Skip redundant project configuration parsing for `uv run` ([#​17890](https://redirect.github.com/astral-sh/uv/pull/17890)) ### [`v0.11.1`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0111) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.11.0...0.11.1) Released on 2026-03-24. ##### Bug fixes - Add missing hash verification for `riscv64gc-unknown-linux-musl` ([#​18686](https://redirect.github.com/astral-sh/uv/pull/18686)) - Fallback to direct download when direct URL streaming is unsupported ([#​18688](https://redirect.github.com/astral-sh/uv/pull/18688)) - Revert treating 'Dynamic' values as case-insensitive ([#​18692](https://redirect.github.com/astral-sh/uv/pull/18692)) - Remove torchdata from list of packages to source from the PyTorch index ([#​18703](https://redirect.github.com/astral-sh/uv/pull/18703)) - Special-case `==` Python version request ranges ([#​9697](https://redirect.github.com/astral-sh/uv/pull/9697)) ##### Documentation - Cover `--python <dir>` in "Using arbitrary Python environments" ([#​6457](https://redirect.github.com/astral-sh/uv/pull/6457)) - Fix version annotations for `PS_MODULE_PATH` and `UV_WORKING_DIR` ([#​18691](https://redirect.github.com/astral-sh/uv/pull/18691)) ### [`v0.11.0`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0110) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.12...0.11.0) Released on 2026-03-23. ##### Breaking changes This release includes changes to the networking stack used by uv. While we think that breakage will be rare, it is possible that these changes will result in the rejection of certificates previously trusted by uv so we have marked the change as breaking out of an abundance of caution. The changes are largely driven by the upgrade of reqwest, which powers uv's HTTP clients, to [v0.13](https://seanmonstar.com/blog/reqwest-v013-rustls-default/) which included some breaking changes to TLS certificate verification. The following changes are included: - [`rustls-platform-verifier`](https://redirect.github.com/rustls/rustls-platform-verifier) is used instead of [`rustls-native-certs`](https://redirect.github.com/rustls/rustls-native-certs) and [`webpki`](https://redirect.github.com/rustls/webpki) for certificate verification **This change should have no effect unless you are using the `native-tls` option to enable reading system certificates.** `rustls-platform-verifier` delegates to the system for certificate validation (e.g., `Security.framework` on macOS) instead of eagerly loading certificates from the system and verifying them via `webpki`. The effects of this change will vary based on the operating system. In general, uv's certificate validation should now be more consistent with browsers and other native applications. However, this is the most likely cause of breaking changes in this release. Some previously failing certificate chains may succeed, and some previously accepted certificate chains may fail. In either case, we expect the validation to be more correct and welcome reports of regressions. In particular, because more responsibility for validating the certificate is transferred to your system's security library, some features like [CA constraints](https://support.apple.com/en-us/103255) or [revocation of certificates](https://en.wikipedia.org/wiki/Certificate_revocation) via OCSP and CRLs may now be used. This change should improve performance when using system certificate on macOS, as uv no longer needs to load all certificates from the keychain at startup. - [`aws-lc`](https://redirect.github.com/aws/aws-lc) is used instead of `ring` for a cryptography backend There should not be breaking changes from this change. We expect this to expand support for certificate signature algorithms. - `--native-tls` is deprecated in favor of a new `--system-certs` flag The `--native-tls` flag is still usable and has identical behavior to `--system-certs.` This change was made to reduce confusion about the TLS implementation uv uses. uv always uses `rustls` not `native-tls`. - Building uv on x86-64 and i686 Windows requires NASM NASM is required by `aws-lc`. If not found on the system, a prebuilt blob provided by `aws-lc-sys` will be used. If you are not building uv from source, this change has no effect. See the [CONTRIBUTING](https://redirect.github.com/astral-sh/uv/blob/b6854d77bfd0cb78157fecaf8b30126c6f16bc11/CONTRIBUTING.md#setup) guide for details. - Empty `SSL_CERT_FILE` values are ignored (for consistency with `SSL_CERT_DIR`) See [#​18550](https://redirect.github.com/astral-sh/uv/pull/18550) for details. ##### Python - Enable frame pointers for improved profiling on Linux x86-64 and aarch64 See the [python-build-standalone release notes](https://redirect.github.com/astral-sh/python-build-standalone/releases/20260320) for details. ##### Enhancements - Treat 'Dynamic' values as case-insensitive ([#​18669](https://redirect.github.com/astral-sh/uv/pull/18669)) - Use a dedicated error for invalid cache control headers ([#​18657](https://redirect.github.com/astral-sh/uv/pull/18657)) - Enable checksum verification in the generated installer script ([#​18625](https://redirect.github.com/astral-sh/uv/pull/18625)) ##### Preview features - Add `--service-format` and `--service-url` to `uv audit` ([#​18571](https://redirect.github.com/astral-sh/uv/pull/18571)) ##### Performance - Avoid holding flat index lock across indexes ([#​18659](https://redirect.github.com/astral-sh/uv/pull/18659)) ##### Bug fixes - Find the dynamic linker on the file system when sniffing binaries fails ([#​18457](https://redirect.github.com/astral-sh/uv/pull/18457)) - Fix export of conflicting workspace members with dependencies ([#​18666](https://redirect.github.com/astral-sh/uv/pull/18666)) - Respect installed settings in `uv tool list --outdated` ([#​18586](https://redirect.github.com/astral-sh/uv/pull/18586)) - Treat paths originating as PEP 508 URLs which contain expanded variables as relative ([#​18680](https://redirect.github.com/astral-sh/uv/pull/18680)) - Fix `uv export` for workspace member packages with conflicts ([#​18635](https://redirect.github.com/astral-sh/uv/pull/18635)) - Continue to alternative authentication providers when the pyx store has no token ([#​18425](https://redirect.github.com/astral-sh/uv/pull/18425)) - Use redacted URLs for log messages in cached client ([#​18599](https://redirect.github.com/astral-sh/uv/pull/18599)) ##### Documentation - Add details on Linux versions to the platform policy ([#​18574](https://redirect.github.com/astral-sh/uv/pull/18574)) - Clarify `FLASH_ATTENTION_SKIP_CUDA_BUILD` guidance for `flash-attn` installs ([#​18473](https://redirect.github.com/astral-sh/uv/pull/18473)) - Split the dependency bots page into two separate pages ([#​18597](https://redirect.github.com/astral-sh/uv/pull/18597)) - Split the alternative indexes page into separate pages ([#​18607](https://redirect.github.com/astral-sh/uv/pull/18607)) ### [`v0.10.12`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01012) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.11...0.10.12) Released on 2026-03-19. ##### Python - Add pypy 3.11.15 ([#​18468](https://redirect.github.com/astral-sh/uv/pull/18468)) - Add support for using Python 3.6 interpreters ([#​18454](https://redirect.github.com/astral-sh/uv/pull/18454)) ##### Enhancements - Include uv's target triple in version report ([#​18520](https://redirect.github.com/astral-sh/uv/pull/18520)) - Allow comma separated values in `--no-emit-package` ([#​18565](https://redirect.github.com/astral-sh/uv/pull/18565)) ##### Preview features - Show `uv audit` in the CLI help ([#​18540](https://redirect.github.com/astral-sh/uv/pull/18540)) ##### Bug fixes - Improve reporting of managed interpreter symlinks in `uv python list` ([#​18459](https://redirect.github.com/astral-sh/uv/pull/18459)) - Preserve end-of-line comments on previous entries when removing dependencies ([#​18557](https://redirect.github.com/astral-sh/uv/pull/18557)) - Treat abi3 wheel Python version as a lower bound ([#​18536](https://redirect.github.com/astral-sh/uv/pull/18536)) - Detect hard-float support on aarch64 kernels running armv7 userspace ([#​18530](https://redirect.github.com/astral-sh/uv/pull/18530)) ##### Documentation - Add Python 3.15 to supported versions ([#​18552](https://redirect.github.com/astral-sh/uv/pull/18552)) - Adjust the PyPy note ([#​18548](https://redirect.github.com/astral-sh/uv/pull/18548)) - Move Pyodide to Tier 2 in the Python support policy ([#​18561](https://redirect.github.com/astral-sh/uv/pull/18561)) - Move Rust and Python version support out of the Platform support policy ([#​18535](https://redirect.github.com/astral-sh/uv/pull/18535)) - Update Docker guide with changes from `uv-docker-example` ([#​18558](https://redirect.github.com/astral-sh/uv/pull/18558)) - Update the Python version policy ([#​18559](https://redirect.github.com/astral-sh/uv/pull/18559)) ### [`v0.10.11`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01011) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.10...0.10.11) Released on 2026-03-16. ##### Enhancements - Fetch Ruff release metadata from an Astral mirror ([#​18358](https://redirect.github.com/astral-sh/uv/pull/18358)) - Use PEP 639 license metadata for uv itself ([#​16477](https://redirect.github.com/astral-sh/uv/pull/16477)) ##### Performance - Improve distribution id performance ([#​18486](https://redirect.github.com/astral-sh/uv/pull/18486)) ##### Bug fixes - Allow `--project` to refer to a `pyproject.toml` directly and reduce to a warning on other files ([#​18513](https://redirect.github.com/astral-sh/uv/pull/18513)) - Disable `SYSTEM_VERSION_COMPAT` when querying interpreters on macOS ([#​18452](https://redirect.github.com/astral-sh/uv/pull/18452)) - Enforce available distributions for supported environments ([#​18451](https://redirect.github.com/astral-sh/uv/pull/18451)) - Fix `uv sync --active` recreating active environments when `UV_PYTHON_INSTALL_DIR` is relative ([#​18398](https://redirect.github.com/astral-sh/uv/pull/18398)) ##### Documentation - Add missing `-o requirements.txt` in `uv pip compile` example ([#​12308](https://redirect.github.com/astral-sh/uv/pull/12308)) - Link to organization security policy ([#​18449](https://redirect.github.com/astral-sh/uv/pull/18449)) - Link to the AI policy in the contributing guide ([#​18448](https://redirect.github.com/astral-sh/uv/pull/18448)) ### [`v0.10.10`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01010) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.9...0.10.10) Released on 2026-03-13. ##### Python - Add CPython 3.15.0a7 ([#​18403](https://redirect.github.com/astral-sh/uv/pull/18403)) ##### Enhancements - Add `--outdated` flag to `uv tool list` ([#​18318](https://redirect.github.com/astral-sh/uv/pull/18318)) - Add riscv64 musl target to build-release-binaries workflow ([#​18228](https://redirect.github.com/astral-sh/uv/pull/18228)) - Fetch Ruff from an Astral mirror ([#​18286](https://redirect.github.com/astral-sh/uv/pull/18286)) - Improve error handling for platform detection in Python downloads ([#​18453](https://redirect.github.com/astral-sh/uv/pull/18453)) - Warn if `--project` directory does not exist ([#​17714](https://redirect.github.com/astral-sh/uv/pull/17714)) - Warn when workspace member scripts are skipped due to missing build system ([#​18389](https://redirect.github.com/astral-sh/uv/pull/18389)) - Update build backend versions used in `uv init` ([#​18417](https://redirect.github.com/astral-sh/uv/pull/18417)) - Log explicit config file path in verbose output ([#​18353](https://redirect.github.com/astral-sh/uv/pull/18353)) - Make `uv cache clear` an alias of `uv cache clean` ([#​18420](https://redirect.github.com/astral-sh/uv/pull/18420)) - Reject invalid classifiers, warn on license classifiers in `uv_build` ([#​18419](https://redirect.github.com/astral-sh/uv/pull/18419)) ##### Preview features - Add links to `uv audit` output ([#​18392](https://redirect.github.com/astral-sh/uv/pull/18392)) - Output/report formatting for `uv audit` ([#​18193](https://redirect.github.com/astral-sh/uv/pull/18193)) - Switch to batched OSV queries for `uv audit` ([#​18394](https://redirect.github.com/astral-sh/uv/pull/18394)) ##### Bug fixes - Avoid sharing version metadata across indexes ([#​18373](https://redirect.github.com/astral-sh/uv/pull/18373)) - Bump zlib-rs to 0.6.2 to fix panic on decompression of large wheels on Windows ([#​18362](https://redirect.github.com/astral-sh/uv/pull/18362)) - Filter out unsupported environment wheels ([#​18445](https://redirect.github.com/astral-sh/uv/pull/18445)) - Preserve absolute/relative paths in lockfiles ([#​18176](https://redirect.github.com/astral-sh/uv/pull/18176)) - Recreate Python environments under `uv tool install --force` ([#​18399](https://redirect.github.com/astral-sh/uv/pull/18399)) - Respect timestamp and other cache keys in cached environments ([#​18396](https://redirect.github.com/astral-sh/uv/pull/18396)) - Simplify selected extra markers in `uv export` ([#​18433](https://redirect.github.com/astral-sh/uv/pull/18433)) - Send pyx mint-token requests with a proper `Content-Type` ([#​18334](https://redirect.github.com/astral-sh/uv/pull/18334)) - Fix Windows operating system and version reporting ([#​18383](https://redirect.github.com/astral-sh/uv/pull/18383)) ##### Documentation - Update the platform support policy with a tier 3 section including freebsd and 32-bit windows ([#​18345](https://redirect.github.com/astral-sh/uv/pull/18345)) ### [`v0.10.9`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0109) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.8...0.10.9) Released on 2026-03-06. ##### Enhancements - Add `fbgemm-gpu`, `fbgemm-gpu-genai`, `torchrec`, and `torchtune` to the PyTorch list ([#​18338](https://redirect.github.com/astral-sh/uv/pull/18338)) - Add torchcodec to PyTorch List ([#​18336](https://redirect.github.com/astral-sh/uv/pull/18336)) - Log the duration we took before erroring ([#​18231](https://redirect.github.com/astral-sh/uv/pull/18231)) - Warn when using `uv_build` settings without `uv_build` ([#​15750](https://redirect.github.com/astral-sh/uv/pull/15750)) - Add fallback to `/usr/lib/os-release` on Linux system lookup failure ([#​18349](https://redirect.github.com/astral-sh/uv/pull/18349)) - Use `cargo auditable` to include SBOM in uv builds ([#​18276](https://redirect.github.com/astral-sh/uv/pull/18276)) ##### Configuration - Add an environment variable for `UV_VENV_RELOCATABLE` ([#​18331](https://redirect.github.com/astral-sh/uv/pull/18331)) ##### Performance - Avoid toml `Document` overhead ([#​18306](https://redirect.github.com/astral-sh/uv/pull/18306)) - Use a single global workspace cache ([#​18307](https://redirect.github.com/astral-sh/uv/pull/18307)) ##### Bug fixes - Continue on trampoline job assignment failures ([#​18291](https://redirect.github.com/astral-sh/uv/pull/18291)) - Handle the hard link limit gracefully instead of failing ([#​17699](https://redirect.github.com/astral-sh/uv/pull/17699)) - Respect build constraints for workspace members ([#​18350](https://redirect.github.com/astral-sh/uv/pull/18350)) - Revalidate editables and other dependencies in scripts ([#​18328](https://redirect.github.com/astral-sh/uv/pull/18328)) - Support Python 3.13+ on Android ([#​18301](https://redirect.github.com/astral-sh/uv/pull/18301)) - Support `cp3-none-any` ([#​17064](https://redirect.github.com/astral-sh/uv/pull/17064)) - Skip tool environments with broken links to Python on Windows ([#​17176](https://redirect.github.com/astral-sh/uv/pull/17176)) ##### Documentation - Add documentation for common marker values ([#​18327](https://redirect.github.com/astral-sh/uv/pull/18327)) - Improve documentation on virtual dependencies ([#​18346](https://redirect.github.com/astral-sh/uv/pull/18346)) ### [`v0.10.8`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0108) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.7...0.10.8) Released on 2026-03-03. ##### Python - Add CPython 3.10.20 - Add CPython 3.11.15 - Add CPython 3.12.13 ##### Enhancements - Add Docker images based on Docker Hardened Images ([#​18247](https://redirect.github.com/astral-sh/uv/pull/18247)) - Add resolver hint when `--exclude-newer` filters out all versions of a package ([#​18217](https://redirect.github.com/astral-sh/uv/pull/18217)) - Configure a real retry minimum delay of 1s ([#​18201](https://redirect.github.com/astral-sh/uv/pull/18201)) - Expand `uv_build` direct build compatibility ([#​17902](https://redirect.github.com/astral-sh/uv/pull/17902)) - Fetch CPython from an Astral mirror by default ([#​18207](https://redirect.github.com/astral-sh/uv/pull/18207)) - Download uv releases from an Astral mirror in installers by default ([#​18191](https://redirect.github.com/astral-sh/uv/pull/18191)) - Add SBOM attestations to Docker images ([#​18252](https://redirect.github.com/astral-sh/uv/pull/18252)) - Improve hint for installing meson-python when missing as build backend ([#​15826](https://redirect.github.com/astral-sh/uv/pull/15826)) ##### Configuration - Add `UV_INIT_BARE` environment variable for `uv init` ([#​18210](https://redirect.github.com/astral-sh/uv/pull/18210)) ##### Bug fixes - Prevent `uv tool upgrade` from installing excluded dependencies ([#​18022](https://redirect.github.com/astral-sh/uv/pull/18022)) - Promote authentication policy when saving tool receipts ([#​18246](https://redirect.github.com/astral-sh/uv/pull/18246)) - Respect exclusions in scripts ([#​18269](https://redirect.github.com/astral-sh/uv/pull/18269)) - Retain default-branch Git SHAs in `pylock.toml` files ([#​18227](https://redirect.github.com/astral-sh/uv/pull/18227)) - Skip installed Python check for URL dependencies ([#​18211](https://redirect.github.com/astral-sh/uv/pull/18211)) - Respect constraints during `--upgrade` ([#​18226](https://redirect.github.com/astral-sh/uv/pull/18226)) - Fix `uv tree` orphaned roots and premature deduplication ([#​17212](https://redirect.github.com/astral-sh/uv/pull/17212)) ##### Documentation - Mention cooldown and tweak inline script metadata in dependency bots documentation ([#​18230](https://redirect.github.com/astral-sh/uv/pull/18230)) - Move cache prune in GitLab to `after_script` ([#​18206](https://redirect.github.com/astral-sh/uv/pull/18206)) ### [`v0.10.7`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0107) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.6...0.10.7) Released on 2026-02-27. ##### Bug fixes - Fix handling of junctions in Windows Containers on Windows ([#​18192](https://redirect.github.com/astral-sh/uv/pull/18192)) ##### Enhancements - Activate logging for middleware retries ([#​18200](https://redirect.github.com/astral-sh/uv/pull/18200)) - Upload uv releases to a mirror ([#​18159](https://redirect.github.com/astral-sh/uv/pull/18159)) ### [`v0.10.6`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0106) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.5...0.10.6) Released on 2026-02-24. ##### Bug fixes - Apply lockfile marker normalization for fork markers ([#​18116](https://redirect.github.com/astral-sh/uv/pull/18116)) - Fix Python version selection for scripts with a `requires-python` conflicting with `.python-version` ([#​18097](https://redirect.github.com/astral-sh/uv/pull/18097)) - Preserve file permissions when using reflinks on Linux ([#​18187](https://redirect.github.com/astral-sh/uv/pull/18187)) ##### Documentation - Remove verbose documentation from optional dependencies help text ([#​18180](https://redirect.github.com/astral-sh/uv/pull/18180)) ### [`v0.10.5`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0105) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.4...0.10.5) Released on 2026-02-23. ##### Enhancements - Add hint when named index is found in a parent config file ([#​18087](https://redirect.github.com/astral-sh/uv/pull/18087)) - Add warning for `uv lock --frozen` ([#​17859](https://redirect.github.com/astral-sh/uv/pull/17859)) - Attempt to use reflinks by default on Linux ([#​18117](https://redirect.github.com/astral-sh/uv/pull/18117)) - Fallback to hardlinks after reflink failure before copying ([#​18104](https://redirect.github.com/astral-sh/uv/pull/18104)) - Filter `pylock.toml` wheels by tags and `requires-python` ([#​18081](https://redirect.github.com/astral-sh/uv/pull/18081)) - Validate wheel filenames are normalized during `uv publish` ([#​17783](https://redirect.github.com/astral-sh/uv/pull/17783)) - Fix message when `exclude-newer` invalidates the lock file ([#​18100](https://redirect.github.com/astral-sh/uv/pull/18100)) - Change the missing files log level to debug ([#​18075](https://redirect.github.com/astral-sh/uv/pull/18075)) ##### Performance - Improve performance of repeated conflicts with an extra ([#​18094](https://redirect.github.com/astral-sh/uv/pull/18094)) ##### Bug fixes - Fix `--no-emit-workspace` with `--all-packages` on single-member workspaces ([#​18098](https://redirect.github.com/astral-sh/uv/pull/18098)) - Fix `UV_NO_DEFAULT_GROUPS` rejecting truthy values like `1` ([#​18057](https://redirect.github.com/astral-sh/uv/pull/18057)) - Fix iOS detection ([#​17973](https://redirect.github.com/astral-sh/uv/pull/17973)) - Propagate project-level conflicts to package extras ([#​18096](https://redirect.github.com/astral-sh/uv/pull/18096)) - Use a global build concurrency semaphore ([#​18054](https://redirect.github.com/astral-sh/uv/pull/18054)) ##### Documentation - Update documentation heading for environment variable files ([#​18122](https://redirect.github.com/astral-sh/uv/pull/18122)) - Fix comment about `uv export` formats ([#​17900](https://redirect.github.com/astral-sh/uv/pull/17900)) - Make it clear that Windows is supported in user- and system- level configuration docs ([#​18106](https://redirect.github.com/astral-sh/uv/pull/18106)) ### [`v0.10.4`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0104) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.3...0.10.4) Released on 2026-02-17. ##### Enhancements - Remove duplicate references to the affected paths when showing `uv python` errors ([#​18008](https://redirect.github.com/astral-sh/uv/pull/18008)) - Skip discovery of workspace members that contain only git-ignored files, including in sub-directories ([#​18051](https://redirect.github.com/astral-sh/uv/pull/18051)) ##### Bug fixes - Don't panic when initialising a package at the filesystem root (e.g. `uv init / --name foo`) ([#​17983](https://redirect.github.com/astral-sh/uv/pull/17983)) - Fix permissions on `wheel` and `sdist` files produced by the `uv_build` build backend ([#​18020](https://redirect.github.com/astral-sh/uv/pull/18020)) - Revert locked file change to fix locked files on NFS mounts ([#​18071](https://redirect.github.com/astral-sh/uv/pull/18071)) ### [`v0.10.3`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0103) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.2...0.10.3) Released on 2026-02-16. ##### Python - Add CPython 3.15.0a6 ##### Enhancements - Don't open file locks for writing ([#​17956](https://redirect.github.com/astral-sh/uv/pull/17956)) - Make Windows trampoline error messages consistent with uv proper ([#​17969](https://redirect.github.com/astral-sh/uv/pull/17969)) - Log which preview features are enabled ([#​17968](https://redirect.github.com/astral-sh/uv/pull/17968)) ##### Preview features - Add support for ruff version constraints and `exclude-newer` in `uv format` ([#​17651](https://redirect.github.com/astral-sh/uv/pull/17651)) - Fix script path handling when `target-workspace-discovery` is enabled ([#​17965](https://redirect.github.com/astral-sh/uv/pull/17965)) - Use version constraints to select the default ruff version used by `uv format` ([#​17977](https://redirect.github.com/astral-sh/uv/pull/17977)) ##### Bug fixes - Avoid matching managed Python versions by prefixes, e.g. don't match CPython 3.10 when `cpython-3.1` is specified ([#​17972](https://redirect.github.com/astral-sh/uv/pull/17972)) - Fix handling of `--allow-existing` with minor version links on Windows ([#​17978](https://redirect.github.com/astral-sh/uv/pull/17978)) - Fix panic when encountering unmanaged workspace members ([#​17974](https://redirect.github.com/astral-sh/uv/pull/17974)) - Improve accuracy of request timing ([#​18007](https://redirect.github.com/astral-sh/uv/pull/18007)) - Reject `u64::MAX` in version segments to prevent overflow ([#​17985](https://redirect.github.com/astral-sh/uv/pull/17985)) ##### Documentation - Reference Debian Trixie instead of Bookworm ([#​17991](https://redirect.github.com/astral-sh/uv/pull/17991)) ### [`v0.10.2`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0102) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.1...0.10.2) Released on 2026-02-10. ##### Enhancements - Deprecate unexpected ZIP compression methods ([#​17946](https://redirect.github.com/astral-sh/uv/pull/17946)) ##### Bug fixes - Fix `cargo-install` failing due to missing `uv-test` dependency ([#​17954](https://redirect.github.com/astral-sh/uv/pull/17954)) ### [`v0.10.1`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01012) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.10.0...0.10.1) Released on 2026-03-19. ##### Python - Add pypy 3.11.15 ([#​18468](https://redirect.github.com/astral-sh/uv/pull/18468)) - Add support for using Python 3.6 interpreters ([#​18454](https://redirect.github.com/astral-sh/uv/pull/18454)) ##### Enhancements - Include uv's target triple in version report ([#​18520](https://redirect.github.com/astral-sh/uv/pull/18520)) - Allow comma separated values in `--no-emit-package` ([#​18565](https://redirect.github.com/astral-sh/uv/pull/18565)) ##### Preview features - Show `uv audit` in the CLI help ([#​18540](https://redirect.github.com/astral-sh/uv/pull/18540)) ##### Bug fixes - Improve reporting of managed interpreter symlinks in `uv python list` ([#​18459](https://redirect.github.com/astral-sh/uv/pull/18459)) - Preserve end-of-line comments on previous entries when removing dependencies ([#​18557](https://redirect.github.com/astral-sh/uv/pull/18557)) - Treat abi3 wheel Python version as a lower bound ([#​18536](https://redirect.github.com/astral-sh/uv/pull/18536)) - Detect hard-float support on aarch64 kernels running armv7 userspace ([#​18530](https://redirect.github.com/astral-sh/uv/pull/18530)) ##### Documentation - Add Python 3.15 to supported versions ([#​18552](https://redirect.github.com/astral-sh/uv/pull/18552)) - Adjust the PyPy note ([#​18548](https://redirect.github.com/astral-sh/uv/pull/18548)) - Move Pyodide to Tier 2 in the Python support policy ([#​18561](https://redirect.github.com/astral-sh/uv/pull/18561)) - Move Rust and Python version support out of the Platform support policy ([#​18535](https://redirect.github.com/astral-sh/uv/pull/18535)) - Update Docker guide with changes from `uv-docker-example` ([#​18558](https://redirect.github.com/astral-sh/uv/pull/18558)) - Update the Python version policy ([#​18559](https://redirect.github.com/astral-sh/uv/pull/18559)) ### [`v0.10.0`](https://redirect.github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0100) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.9.30...0.10.0) Since we released uv [0.9.0](https://redirect.github.com/astral-sh/uv/releases/tag/0.9.0) in October of 2025, we've accumulated various changes that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes. This release also includes the stabilization of preview features. Python upgrades are now stable, including the `uv python upgrade` command, `uv python install --upgrade`, and automatically upgrading Python patch versions in virtual environments when a new version is installed. The `add-bounds` and `extra-build-dependencies` settings are now stable. Finally, the `uv workspace dir` and `uv workspace list` utilities for writing scripts against workspace members are now stable. There are no breaking changes to [`uv_build`](https://docs.astral.sh/uv/concepts/build-backend/). If you have an upper bound in your `[build-system]` table, you should update it, e.g., from `<0.10.0` to `<0.11.0`. ##### Breaking changes - **Require `--clear` to remove existing virtual environments in `uv venv`** ([#​17757](https://redirect.github.com/astral-sh/uv/pull/17757)) Previously, `uv venv` would prompt for confirmation before removing an existing virtual environment in interactive contexts, and remove it without confirmation in non-interactive contexts. Now, `uv venv` requires the `--clear` flag to remove an existing virtual environment. A warning for this change was added in [uv 0.8](https://redirect.github.com/astral-sh/uv/blob/main/changelogs/0.8.x.md#breaking-changes). You can opt out of this behavior by passing the `--clear` flag or setting `UV_VENV_CLEAR=1`. - **Error if multiple indexes include `default = true`** ([#​17011](https://redirect.github.com/astral-sh/uv/pull/17011)) Previously, uv would silently accept multiple indexes with `default = true` and use the first one. Now, uv will error if multiple indexes are marked as the default. You cannot opt out of this behavior. Remove `default = true` from all but one index. - **Error when an `explicit` index is unnamed** ([#​17777](https://redirect.github.com/astral-sh/uv/pull/17777)) Explicit indexes can only be used via the `[tool.uv.sources]` table, which requires referencing the index by name. Previously, uv would silently accept unnamed explicit indexes, which could never be referenced. Now, uv will error if an explicit index does not have a name. You cannot opt out of this behavior. Add a `name` to the explicit index or remove the entry. - **Install alternative Python executables using their implementation name** ([#​17756](https://redirect.github.com/astral-sh/uv/pull/17756), [#​17760](https://redirect.github.com/astral-sh/uv/pull/17760)) Previously, `uv python install` would install PyPy, GraalPy, and Pyodide executables with names like `python3.10` into the bin directory. Now, these executables will be named using their implementation name, e.g., `pypy3.10`, `graalpy3.10`, and `pyodide3.12`, to avoid conflicting with CPython installations. You cannot opt out of this behavior. - **Respect global Python version pins in `uv tool run` and `uv tool install`** ([#​14112](https://redirect.github.com/astral-sh/uv/pull/14112)) Previously, `uv tool run` and `uv tool install` did not respect the global Python version pin (set via `uv python pin --global`). Now, these commands will use the global Python version when no explicit version is requested. For `uv tool install`, if the tool is already installed, the Python version will not change unless `--reinstall` or `--python` is provided. If the tool was previously installed with an explicit `--python` flag, the global pin will not override it. You can opt out of this behavior by providing an explicit `--python` flag. - **Remove Debian Bookworm, Alpine 3.21, and Python 3.8 Docker images** ([#​17755](https://redirect.github.com/astral-sh/uv/pull/17755)) The Debian Bookworm and Alpine 3.21 images were replaced by Debian Trixie and Alpine 3.22 as defaults in [uv 0.9](https://redirect.github.com/astral-sh/uv/pull/15352). These older images are now removed. Python 3.8 images are also removed, as Python 3.8 is no longer supported in the Trixie or Alpine base images. The following image tags are no longer published: - `uv:bookworm`, `uv:bookworm-slim` - `uv:alpine3.21` - `uv:python3.8-*` Use `uv:debian` or `uv:trixie` instead of `uv:bookworm`, `uv:alpine` or `uv:alpine3.22` instead of `uv:alpine3.21`, and a newer Python version instead of `uv:python3.8-*`. - **Drop PPC64 (big endian) builds** ([#​17626](https://redirect.github.com/astral-sh/uv/pull/17626)) uv no longer provides pre-built binaries for PPC64 (big endian). This platform appears to be largely unused and is only supported on a single manylinux version. PPC64LE (little endian) builds are unaffected. Building uv from source is still supported for this platform. - **Skip generating `activate.csh` for relocatable virtual environments** ([#​17759](https://redirect.github.com/astral-sh/uv/pull/17759)) Previously, `uv venv --relocatable` would generate an `activate.csh` script that contained hardcoded paths, making it incompatible with relocation. Now, the `activate.csh` script is not generated for relocatable virtual environments. You cannot opt out of this behavior. - **Require username when multiple credentials match a URL** ([#​16983](https://redirect.github.com/astral-sh/uv/pull/16983)) When using `uv auth login` to store credentials, you can register multiple username and password combinations for the same host. Previously, when uv needed to authenticate and multiple credentials matched the URL (e.g., when retrieving a token with `uv auth token`), uv would pick the first match. Now, uv will error instead. You cannot opt out of this behavior. Include the username in the request, e.g., `uv auth token --username foo example.com`. - **Avoid invalidating the lockfile versions after an `exclude-newer` change** ([#​17721](https://redirect.github.com/astral-sh/uv/pull/17721)) Previously, changing the `exclude-newer` setting would cause package versions to be upgraded, ignoring the lockfile entirely. Now, uv will only change package versions if they are no longer within the `exclude-newer` range. You can restore the previous behavior by using `--upgrade` or `--upgrade-package` to opt-in to package version changes. - **Upgrade `uv format` to Ruff 0.15.0** ([#​17838](https://redirect.github.com/astral-sh/uv/pull/17838)) `uv format` now uses [Ruff 0.15.0](https://redirect.github.com/astral-sh/ruff/releases/tag/0.15.0), which uses the [2026 style guide](https://astral.sh/blog/ruff-v0.15.0#the-ruff-2026-style-guide). See the blog post for details. The formatting of code is likely to change. You can opt out of this behavior by requesting an older Ruff version, e.g., `uv format --version 0.14.14`. - **Update uv crate test features to use `test-` as a prefix** ([#​17860](https://redirect.github.com/astral-sh/uv/pull/17860)) This change only affects redistributors of uv. The Cargo features used to gate test dependencies, e.g., `pypi`, have been renamed with a `test-` prefix for clarity, e.g., `test-pypi`. ##### Stabilizations - **`uv python upgrade` and `uv python install --upgrade`** ([#​17766](https://redirect.github.com/astral-sh/uv/pull/17766)) When installing Python versions, an [intermediary directory](https://docs.astral.sh/uv/concepts/python-versions/#minor-version-directories) without the patch version attached will be created, and virtual environments will be transparently upgraded to new patch versions. See the [Python version documentation](https://docs.astral.sh/uv/concepts/python-versions/#upgrading-python-versions) for more details. - **`uv add --bounds` and the `add-bounds` configuration option** ([#​17660](https://redirect.github.com/astral-sh/uv/pull/17660)) This does not come with any behavior changes. You will no longer see an experimental warning when using `uv add --bounds` or `add-bounds` in configuration. - **`uv workspace list` and `uv workspace dir`** ([#​17768](https://redirect.github.com/astral-sh/uv/pull/17768)) This does not come with any behavior changes. You will no longer see an experimental warning when using these commands. - **`extra-build-dependencies`** ([#​17767](https://redirect.github.com/astral-sh/uv/pull/17767)) This does not come with any behavior changes. You will no longer see an experimental warning when using `extra-build-dependencies` in configuration. ##### Enhancements - Improve ABI tag error message phrasing ([#​17878](https://redirect.github.com/astral-sh/uv/pull/17878)) - Introduce a 10s connect timeout ([#​17733](https://redirect.github.com/astral-sh/uv/pull/17733)) - Allow using `pyx.dev` as a target in `uv auth` commands despite `PYX_API_URL` differing ([#​17856](https://redirect.github.com/astral-sh/uv/pull/17856)) ##### Bug fixes - Support all CPython ABI tag suffixes properly ([#​17817](https://redirect.github.com/astral-sh/uv/pull/17817)) - Add support for detecting PowerShell on Linux and macOS ([#​17870](https://redirect.github.com/astral-sh/uv/pull/17870)) - Retry timeout errors for streams ([#​17875](https://redirect.github.com/astral-sh/uv/pull/17875)) ### [`v0.9.30`](https://redirect.github.com/astral-sh/uv/releases/tag/0.9.30) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.9.29...0.9.30) #### Release Notes Released on 2026-02-04. ##### Python - Add CPython 3.14.3 and 3.13.12 ([#​17849](https://redirect.github.com/astral-sh/uv/pull/17849)) ##### Enhancements - Allow comma-separated values for `--extra` option ([#​17525](https://redirect.github.com/astral-sh/uv/pull/17525)) - Check all files during a dry-run publish instead of stopping at the first failure ([#​17785](https://redirect.github.com/astral-sh/uv/pull/17785)) - Clarify `UV_HTTP_TIMEOUT` error message ([#​17493](https://redirect.github.com/astral-sh/uv/pull/17493)) ##### Preview features - Use relocatable virtual environments by default ([#​17770](https://redirect.github.com/astral-sh/uv/pull/17770)) ##### Bug fixes - Fix deadlock on token refresh in `uv publish` when using pyx ([#​17832](https://redirect.github.com/astral-sh/uv/pull/17832)) - Ignore global Python pins when incompatible with project ([#​15473](https://redirect.github.com/astral-sh/uv/pull/15473)) #### Install uv 0.9.30 ##### Install prebuilt binaries via shell script ```sh curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.30/uv-installer.sh | sh ``` ##### Install prebuilt binaries via powershell script ```sh powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.9.30/uv-installer.ps1 | iex" ``` #### Download uv 0.9.30 | File | Platform | Checksum | | --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | -------------------------------------------------------------------------------------------------------------------- | | [uv-aarch64-apple-darwin.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-aarch64-apple-darwin.tar.gz) | Apple Silicon macOS | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-aarch64-apple-darwin.tar.gz.sha256) | | [uv-x86\_64-apple-darwin.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-x86_64-apple-darwin.tar.gz) | Intel macOS | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-x86_64-apple-darwin.tar.gz.sha256) | | [uv-aarch64-pc-windows-msvc.zip](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-aarch64-pc-windows-msvc.zip) | ARM64 Windows | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-aarch64-pc-windows-msvc.zip.sha256) | | [uv-i686-pc-windows-msvc.zip](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-i686-pc-windows-msvc.zip) | x86 Windows | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-i686-pc-windows-msvc.zip.sha256) | | [uv-x86\_64-pc-windows-msvc.zip](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-x86_64-pc-windows-msvc.zip) | x64 Windows | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-x86_64-pc-windows-msvc.zip.sha256) | | [uv-aarch64-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-aarch64-unknown-linux-gnu.tar.gz) | ARM64 Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-aarch64-unknown-linux-gnu.tar.gz.sha256) | | [uv-i686-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-i686-unknown-linux-gnu.tar.gz) | x86 Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-i686-unknown-linux-gnu.tar.gz.sha256) | | [uv-powerpc64-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-powerpc64-unknown-linux-gnu.tar.gz) | PPC64 Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-powerpc64-unknown-linux-gnu.tar.gz.sha256) | | [uv-powerpc64le-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-powerpc64le-unknown-linux-gnu.tar.gz) | PPC64LE Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-powerpc64le-unknown-linux-gnu.tar.gz.sha256) | | [uv-riscv64gc-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-riscv64gc-unknown-linux-gnu.tar.gz) | RISCV Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-riscv64gc-unknown-linux-gnu.tar.gz.sha256) | | [uv-s390x-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-s390x-unknown-linux-gnu.tar.gz) | S390x Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-s390x-unknown-linux-gnu.tar.gz.sha256) | | [uv-x86\_64-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-x86_64-unknown-linux-gnu.tar.gz) | x64 Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-x86_64-unknown-linux-gnu.tar.gz.sha256) | | [uv-armv7-unknown-linux-gnueabihf.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-armv7-unknown-linux-gnueabihf.tar.gz) | ARMv7 Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-armv7-unknown-linux-gnueabihf.tar.gz.sha256) | | [uv-aarch64-unknown-linux-musl.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-aarch64-unknown-linux-musl.tar.gz) | ARM64 MUSL Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-aarch64-unknown-linux-musl.tar.gz.sha256) | | [uv-i686-unknown-linux-musl.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-i686-unknown-linux-musl.tar.gz) | x86 MUSL Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-i686-unknown-linux-musl.tar.gz.sha256) | | [uv-x86\_64-unknown-linux-musl.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-x86_64-unknown-linux-musl.tar.gz) | x64 MUSL Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-x86_64-unknown-linux-musl.tar.gz.sha256) | | [uv-arm-unknown-linux-musleabihf.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-arm-unknown-linux-musleabihf.tar.gz) | ARMv6 MUSL Linux (Hardfloat) | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-arm-unknown-linux-musleabihf.tar.gz.sha256) | | [uv-armv7-unknown-linux-musleabihf.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-armv7-unknown-linux-musleabihf.tar.gz) | ARMv7 MUSL Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.30/uv-armv7-unknown-linux-musleabihf.tar.gz.sha256) | #### Verifying GitHub Artifact Attestations The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the [GitHub CLI](https://cli.github.com/manual/gh_attestation_verify): ```sh gh attestation verify <file-path of downloaded artifact> --repo astral-sh/uv ``` You can also download the attestation from [GitHub](https://redirect.github.com/astral-sh/uv/attestations) and verify against that directly: ```sh gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation> ``` ### [`v0.9.29`](https://redirect.github.com/astral-sh/uv/releases/tag/0.9.29) [Compare Source](https://redirect.github.com/astral-sh/uv/compare/0.9.28...0.9.29) #### Release Notes Released on 2026-02-03. ##### Python - Update to Pyodide 0.29.3 ([#​17730](https://redirect.github.com/astral-sh/uv/pull/17730)) ##### Enhancements - Add wheel-tag-style aliases for manylinux platform names ([#​17750](https://redirect.github.com/astral-sh/uv/pull/17750)) - Hint on `uv version --bump dev` similar to pre-release bumps ([#​17796](https://redirect.github.com/astral-sh/uv/pull/17796)) - Improve display of RFC 9457 Problem Detail responses in `uv publish` server errors ([#​17787](https://redirect.github.com/astral-sh/uv/pull/17787)) - Improve the wording of publish errors during dry-run ([#​17782](https://redirect.github.com/astral-sh/uv/pull/17782)) - Set backoff to 10 retries ([#​17816](https://redirect.github.com/astral-sh/uv/pull/17816)) - Add properties to synthentic and project roots in Cyclone DX exports ([#​17820](https://redirect.github.com/astral-sh/uv/pull/17820)) - Identify the invidividual clients in `uv publish` trace logs ([#​17784](https://redirect.github.com/astral-sh/uv/pull/17784)) ##### Preview features - Remove special casing for `base` and `default` conda environment names ([#​17758](https://redirect.github.com/astral-sh/uv/pull/17758)) ##### Bug fixes - Fix `PYTHONHOME` inheritance when spawning different Python versions ([#​17821](https://redirect.github.com/astral-sh/uv/pull/17821)) - Fix wheel rejections on freethreading+debug builds ([#​17812](https://redirect.github.com/astral-sh/uv/pull/17812)) - Pad with zeros during comparisons in `EqualStar` and `NotEqualStar` operators ([#​17751](https://redirect.github.com/astral-sh/uv/pull/17751)) - Reject unknown field names in conflict declarations ([#​17727](https://redirect.github.com/astral-sh/uv/pull/17727)) - Fix panics in `system-configuration` in sandboxes ([#​17829](https://redirect.github.com/astral-sh/uv/pull/17829)) ##### Documentation - Update pip pre-release compatibility information ([#​17788](https://redirect.github.com/astral-sh/uv/pull/17788)) ##### Security - Hide a subset of environment variable values in `--help` ([#​17745](https://redirect.github.com/astral-sh/uv/pull/17745)) #### Install uv 0.9.29 ##### Install prebuilt binaries via shell script ```sh curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.29/uv-installer.sh | sh ``` ##### Install prebuilt binaries via powershell script ```sh powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.9.29/uv-installer.ps1 | iex" ``` #### Download uv 0.9.29 | File | Platform | Checksum | | --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | -------------------------------------------------------------------------------------------------------------------- | | [uv-aarch64-apple-darwin.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-aarch64-apple-darwin.tar.gz) | Apple Silicon macOS | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-aarch64-apple-darwin.tar.gz.sha256) | | [uv-x86\_64-apple-darwin.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-x86_64-apple-darwin.tar.gz) | Intel macOS | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-x86_64-apple-darwin.tar.gz.sha256) | | [uv-aarch64-pc-windows-msvc.zip](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-aarch64-pc-windows-msvc.zip) | ARM64 Windows | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-aarch64-pc-windows-msvc.zip.sha256) | | [uv-i686-pc-windows-msvc.zip](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-i686-pc-windows-msvc.zip) | x86 Windows | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-i686-pc-windows-msvc.zip.sha256) | | [uv-x86\_64-pc-windows-msvc.zip](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-x86_64-pc-windows-msvc.zip) | x64 Windows | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-x86_64-pc-windows-msvc.zip.sha256) | | [uv-aarch64-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-aarch64-unknown-linux-gnu.tar.gz) | ARM64 Linux | [checksum](https://redirect.github.com/astral-sh/uv/releases/download/0.9.29/uv-aarch64-unk Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…27230) ref https://linear.app/ghost/issue/BER-3484 Uses `crypto.randomBytes(6).toString('base64url')` which gives 48 bits of entropy encoded into 8 URL-safe characters
The shared Renovate preset groups many internal @TryGhost packages into a single broad PR. In practice that has made failures hard to diagnose: rendering and email changes, admin-facing utility updates, runtime plumbing, and test support packages all land together and a failure in one area blocks the rest. Split those internal packages into smaller non-overlapping groups so we can work through them independently. This should make it much easier to reopen and validate one logical lane at a time instead of carrying a single noisy tryghost-packages PR.
Preferring renovates default behaviour and squashing the maintainability warning from Sonar, as having renovate able to maintain these updates for us without noise is better/more maintainable for us in the long run.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )