chore(deps): update all non-major dependencies to v0.9.24

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
astral-sh/uv	uses-with	patch	0.9.21 → 0.9.24
ghcr.io/astral-sh/uv	final	patch	0.9.21 → 0.9.24

---

Release Notes

astral-sh/uv (astral-sh/uv)

v0.9.24

Compare Source

Released on 2026-01-09.

Bug fixes

• Fix handling of UV_NO_SYNC=1 uv run ... (#​17391)
• Rebuild dynamic distribution when version changes with --no-cache (#​17387)

Documentation

• Add Rust language classifier (#​17389)

v0.9.23

Compare Source

Released on 2026-01-09.

Enhancements

• Only write portable paths in RECORD files (#​17339)
• Support relative paths in UV_PYTHON_BIN_DIR and UV_TOOL_BIN_DIR (#​17367)

Preview features

• Enable uploads to S3 via pre-signed URLs (#​17349)

Configuration

• Allow setting proxy variables via global / user configuration (#​16918)
• Manually parse and reconcile Boolean environment variables (#​17321)

Bug fixes

• Avoid broken build artifacts on build failure (#​17276)
• Fix missing dependencies on synthetic root in SBOM export (#​17363)
• Recognize armv8l as an alias for armv7l in platform tag parsing (#​17384)
• Fix redaction of a URL in a middleware trace log (#​17346)

Documentation

• Add index.md suggestion to llms.txt (#​17362)
• Clarify that uv run uses inexact syncing by default (#​17366)

v0.9.22

Compare Source

Released on 2026-01-06.

Enhancements

• Use a dedicated error message when lockfile can't be found (#​17318)

Bug fixes

• Filter unusable wheels from the lockfile for more architectures (#​17317)
• Correctly count retries originating from early middleware errors (#​17274)

Documentation

• Clarify requirements file format in docs (#​17284)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Pull Request Review

Overview

This PR updates the uv package manager from version 0.9.21 to 0.9.24 across three files. This is an automated dependency update from Renovate.

Code Quality ✅

Positive aspects:

• Clean, minimal changes targeting only version numbers
• Consistent updates across all three locations (CI workflow, publish workflow, and Dockerfile)
• Follows the project's dependency management approach

Changes Analysis

The PR updates uv in three locations:

1. .github/workflows/ci.yml:17 - CI workflow uv version
2. .github/workflows/publish-client.yml:22 - Publish workflow uv version
3. Dockerfile:26 - Docker image uv binary version

Release Notes Summary

The update includes three patch releases (0.9.22, 0.9.23, 0.9.24) with the following notable changes:

v0.9.24 (2026-01-09):

• Fixed handling of UV_NO_SYNC=1 uv run ...
• Fixed dynamic distribution rebuild when version changes with --no-cache

v0.9.23 (2026-01-09):

• Portable paths in RECORD files
• Support for relative paths in UV_PYTHON_BIN_DIR and UV_TOOL_BIN_DIR
• S3 upload support via pre-signed URLs (preview feature)
• Proxy configuration via global/user config
• Fixed missing dependencies on synthetic root in SBOM export
• Fixed broken build artifacts on build failure

v0.9.22 (2026-01-06):

• Better error messages when lockfile can't be found
• Filtered unusable wheels from lockfile for more architectures

Potential Issues 🔍

No blocking issues identified, but consider:

1. Testing verification: The patch versions include bug fixes for build artifacts and lockfile handling. Ensure CI passes to verify no regressions with your specific setup.

2. Build cache implications: The fix for "broken build artifacts on build failure" (v0.9.23) could potentially affect Docker build caching behavior, though this should be positive.

3. Lockfile compatibility: While uv maintains backward compatibility, the lockfile filtering improvements might generate different lockfiles if regenerated. Your existing uv.lock should remain compatible.

Security Considerations ✅

• No security vulnerabilities identified in the release notes
• Patch updates from the same minor version (0.9.x) minimize breaking change risk
• Using official ghcr.io/astral-sh/uv container image and GitHub action

Performance Considerations ✅

• The "portable paths in RECORD files" change (v0.9.23) is a performance-neutral correctness improvement
• Wheel filtering improvements may slightly speed up dependency resolution
• No performance regressions expected

Test Coverage ✅

• No test changes needed (infrastructure-only update)
• CI will validate compatibility with existing test suite
• The project's comprehensive test suite (uv run cli test -- --cov) will catch any issues

Best Practices ✅

• Version pinning maintained (not using latest)
• All three locations updated consistently
• Follows semantic versioning (patch updates only)
• Automated dependency management via Renovate is a best practice

Recommendations

1. ✅ Approve and merge - This is a low-risk patch update with bug fixes and improvements
2. ✅ Monitor CI - Ensure all checks pass before auto-merge
3. ℹ️ Optional: Consider testing locally with uv run cli test -- --cov if you want extra confidence before merge

Conclusion

This is a clean, low-risk dependency update that brings bug fixes and improvements to the uv package manager. The changes are minimal, consistent, and follow best practices. No security or performance concerns identified.

Recommendation: APPROVE ✅

The automated merge should proceed once CI passes.