stable

uv-0.5.5-2.fc40

FEDORA-2024-075f626765 created by music a week ago for Fedora 40

Update uv from 0.4.30 to 0.5.5. This is a significant update. Please see the following notes.


By updating to a current release of uv, this update fixes CVE-2024-53899, which was originally reported against virtualenv but which was also reproducible on uv 0.5.2 and earlier. See upstream issue #9424 for more details.


This update adds a default system-wide configuration file /etc/uv/uv.toml with settings specific to Fedora. The RPM-packaged uv now deviates from the default configuration in two ways.

First, we set "python-downloads" to "manual" in order to avoid unintended Python downloads. We suggest using RPM-packaged (system) Pythons that benefit from distribution maintenance and integration. Use uv python install to manually install managed Pythons.

Second, we set "python-preference" to "system" instead of "managed". Otherwise, any managed Python would be used for uv operations where no particular Python is specified, even if the only available managed Python were much older than the primary system Python.

No choices can be appropriate for all users and applications. To restore the default behavior, comment out settings in this file or override them in a configuration file with higher precedence, such as a user-level configuration file. See https://docs.astral.sh/uv/configuration/files/ for details on the interaction of project-, user-, and system-level configuration files.


With 0.5.0, uv introduced several potentially breaking changes. The developers write that these are “changes that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes.”

  • Use base executable to set virtualenv Python path
  • Use XDG (i.e. ~/.local/bin) instead of the Cargo home directory in the installer
  • Discover and respect .python-version files in parent directories
  • Error when disallowed settings are defined in uv.toml
  • Implement PEP 440-compliant local version semantics
  • Treat the base Conda environment as a system environment
  • Do not allow pre-releases when the != operator is used
  • Prefer USERPROFILE over FOLDERID_Profile when selecting a home directory on Windows
  • Improve interactions between color environment variables and CLI options
  • Make allow-insecure-host a global option
  • Only write .python-version files during uv init for workspace members if the version differs

For detailed discussion of these changes, please see https://github.com/astral-sh/uv/releases/tag/0.5.0.

For other fixes, enhancements, and changes in this update, please consult the following:

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-075f626765

This update's test gating status has been changed to 'waiting'.

a week ago

This update's test gating status has been changed to 'ignored'.

a week ago

This update has been submitted for testing by bodhi.

a week ago

This update has been pushed to testing.

a week ago
User Icon music commented & provided feedback a week ago

Upstream pull request #9424 for Windows batch script activation turned out to be incorrect. For that reason, I’m going to modify this update with a fresh build, in which the backport of that PR is reverted. As long as I’m doing a new build, this will be uv-0.5.5, which came out just after I originally created this update.

music edited this update.

New build(s):

  • uv-0.5.5-2.fc40

Removed build(s):

  • uv-0.5.4-2.fc40

Karma has been reset.

a week ago

This update has been submitted for testing by music.

a week ago
User Icon music commented & provided feedback a week ago

This is, formally speaking, an incompatible update, although most users should not find it disruptive. The uv package has a permanent Updates Policy exception.

This update has been pushed to testing.

a week ago

This update has been submitted for stable by bodhi.

a day ago

This update has been pushed to stable.

19 hours ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
a week ago
in testing
a week ago
in stable
19 hours ago
modified
a week ago
approved
a day ago
BZ#2327512 uv-0.5.4 is available
0
0
BZ#2328745 CVE-2024-53899 uv: potential command injection via virtual environment activation scripts [fedora-40]
0
0
BZ#2329188 uv-0.5.5 is available
0
0

Automated Test Results