Update dependency uv to v0.9.6 [SECURITY]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
uv (source, changelog)	==0.2.25 → ==0.9.6

GitHub Vulnerability Alerts

CVE-2025-54368

Impact

In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers:

1. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
2. An attacker could contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.

In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.

The ZIP standard is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.

The practical impact of these differentials is limited by a number of factors:

• To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv install $package with an attacker-controlled $package.
• When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
• If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
• The practical impact of these differentials is limited by a coordinated fix to Warehouse, PyPI's backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.

Patches

Versions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.

Workarounds

Users are advised to upgrade to 0.8.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

Attribution

This vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).

GHSA-w476-p2h3-79g9

Impact

In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a result, an attacker could contrive a source distribution (as a tar archive) that would extract differently when installed via uv versus other Python package installers.

The underlying parsing differential here originates with astral-tokio-tar, which disclosed this vulnerability as CVE-2025-62518.

In practice, the impact of this vulnerability is low: only source distributions can be formatted as tar archives, and source distributions execute arbitrary code at build/installation time by definition. Consequently, a parser differential in tar extraction is strictly less powerful than the capabilities already exposed to an attacker who has the ability to control source distributions.

However, this particular source of malleability in source distributions is unintentional and not operating by design, and therefore we consider it a vulnerability despite its overlap in capabilities with intended behavior.

Patches

Versions 0.9.5 and newer of uv address the vulnerability above. Users should upgrade to 0.9.5 or newer.

Workarounds

Users are advised to upgrade to version 0.9.5 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.

References

• See CVE-2025-62518 for the corresponding advisory against astral-tokio-tar

GHSA-pqhf-p39g-3x64

Impact

In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other components of the Python packaging ecosystem:

1. Central directory entries in a ZIP archive can contain comment fields. However, uv would assume that these fields were not present, since they aren't widely used. Consequently, a ZIP archive could be constructed where uv would interpret the contents of a central directory comment field as ZIP control structures (such as a new central directory entry), rather than skipping over them.
2. Both local file entries and central directory entries contain filename fields, which are used to place archive members on disk. These fields are arbitrary sequences of bytes, and may therefore be invalid or ambiguous. For example, they may contain ASCII null bytes, in which case different ZIP extractors behave differently: Python's zipfile module truncates the filename at the first null, while uv would skip (not extract) any archive members whose filenames contained nulls. Because of this difference, a ZIP archive could be constructed that would extract differently across different Python package installers.

In both cases, the outcome is that an attacker may be able to produce a ZIP with a consistent digest that expands differently with different Python package installers.

Like with GHSA-8qf3-x8v5-2pj8, the impact of these differentials is limited by a number of factors:

• To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv pip install $package or similar with an attacker-controlled $package.
  When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
• If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.

Patches

Versions 0.9.6 and newer of uv address both of the parser differentials above, by properly handling comments in central directory entries and by refusing to process ZIPs that contain filename fields that are unlikely to be interpreted consistently across other ZIP parser implementations.

Workarounds

Users are advised to upgrade to 0.9.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

Attribution

This vulnerability was disclosed by Caleb Brown (Google).

---

Release Notes

astral-sh/uv (uv)

v0.9.6

Compare Source

Released on 2025-10-29.

This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details.

Security

• Address ZIP parsing differentials (GHSA-pqhf-p39g-3x64)

Python

• Upgrade GraalPy to 25.0.1 (#​16401)

Enhancements

• Add --clear to uv build to remove old build artifacts (#​16371)
• Add --no-create-gitignore to uv build (#​16369)
• Do not error when a virtual environment directory cannot be removed due to a busy error (#​16394)
• Improve hint on pip install --system when externally managed (#​16392)
• Running uv lock --check with outdated lockfile will print that --check was passed, instead of --locked (#​16322)
• Update uv init template for Maturin (#​16449)
• Improve ordering of Python sources in logs (#​16463)
• Restore DockerHub release images and annotations (#​16441)

Bug fixes

• Check for matching Python implementation during uv python upgrade (#​16420)
• Deterministically order --find-links distributions (#​16446)
• Don't panic in uv export --frozen when the lockfile is outdated (#​16407)
• Fix root of uv tree when --package is used with circular dependencies (#​15908)
• Show package list with pip freeze --quiet (#​16491)
• Limit uv auth login pyx.dev retries to 60s (#​16498)
• Add an empty group with uv add --group ... -r ... (#​16490)

Documentation

• Update docs for maturin build backend init template (#​16469)
• Update docs to reflect previous changes to signal forwarding semantics (#​16430)
• Add instructions for installing via MacPorts (#​16039)

v0.9.5

Compare Source

Released on 2025-10-21.

This release contains an upgrade to astral-tokio-tar, which addresses a vulnerability in tar extraction on malformed archives with mismatching size information between the ustar header and PAX extensions. While the astral-tokio-tar advisory has been graded as "high" due its potential broader impact, the specific impact to uv is low due to a lack of novel attacker capability. Specifically, uv only processes tar archives from source distributions, which already possess the capability for full arbitrary code execution by design, meaning that an attacker gains no additional capabilities through astral-tokio-tar.

Regardless, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this upgrade an advisory: GHSA-w476-p2h3-79g9

Security

• Upgrade astral-tokio-tar to 0.5.6 to address a parsing differential (#​16387)

Enhancements

• Add required environment marker example to hint (#​16244)
• Fix typo in MissingTopLevel warning (#​16351)
• Improve 403 Forbidden error message to indicate package may not exist (#​16353)
• Add a hint on uv pip install failure if the --system flag is used to select an externally managed interpreter (#​16318)

Bug fixes

• Fix backtick escaping for PowerShell (#​16307)

Documentation

• Document metadata consistency expectation (#​15683)
• Remove outdated aarch64 musl note (#​16385)

v0.9.4

Compare Source

Released on 2025-10-17.

Enhancements

• Add CUDA 13.0 support (#​16321)
• Add auto-detection for Intel GPU on Windows (#​16280)
• Implement display of RFC 9457 HTTP error contexts (#​16199)

Bug fixes

• Avoid obfuscating pyx tokens in uv auth token output (#​16345)

v0.9.3

Compare Source

Released on 2025-10-14.

Python

• Add CPython 3.15.0a1
• Add CPython 3.13.9

Enhancements

• Obfuscate secret token values in logs (#​16164)

Bug fixes

• Fix workspace with relative pathing (#​16296)

v0.9.2

Compare Source

Released on 2025-10-10.

Python

• Add CPython 3.9.24.
• Add CPython 3.10.19.
• Add CPython 3.11.14.
• Add CPython 3.12.12.

Enhancements

• Avoid inferring check URLs for pyx in uv publish (#​16234)
• Add uv tool list --show-python (#​15814)

Documentation

• Add missing "added in" to new environment variables in reference (#​16217)

v0.9.1

Compare Source

Released on 2025-12-16.

Enhancements

• Add value hints to command line arguments to improve shell completion accuracy (#​17080)
• Improve error handling in uv publish (#​17096)
• Improve rendering of multiline error messages (#​17132)
• Support redirects in uv publish (#​17130)
• Include Docker images with the alpine version, e.g., python3.x-alpine3.23 (#​17100)

Configuration

• Accept --torch-backend in [tool.uv] (#​17116)

Performance

• Speed up uv cache size (#​17015)
• Initialize S3 signer once (#​17092)

Bug fixes

• Avoid panics due to reads on failed requests (#​17098)
• Enforce latest-version in @latest requests (#​17114)
• Explicitly set EntryType for file entries in tar (#​17043)
• Ignore pyproject.toml index username in lockfile comparison (#​16995)
• Relax error when using uv add with UV_GIT_LFS set (#​17127)
• Support file locks on ExFAT on macOS (#​17115)
• Change schema for exclude-newer into optional string (#​17121)

Documentation

• Drop arm musl caveat from Docker documentation (#​17111)
• Fix version reference in resolver example (#​17085)
• Better documentation for exclude-newer* (#​17079)

v0.9.0

Compare Source

Released on 2025-10-07.

This breaking release is primarily motivated by the release of Python 3.14, which contains some breaking changes (we recommend reading the "What's new in Python 3.14" page). uv may use Python 3.14 in cases where it previously used 3.13, e.g., if you have not pinned your Python version and do not have any Python versions installed on your machine. While we think this is uncommon, we prefer to be cautious. We've included some additional small changes that could break workflows.

See our Python 3.14 blog post for some discussion of features we're excited about!

There are no breaking changes to uv_build. If you have an upper bound in your [build-system] table, you should update it.

Breaking changes

• Python 3.14 is now the default stable version

  The default Python version has changed from 3.13 to 3.14. This applies to Python version installation when no Python version is requested, e.g., uv python install. By default, uv will use the system Python version if present, so this may not cause changes to general use of uv. For example, if Python 3.13 is installed already, then uv venv will use that version. If no Python versions are installed on a machine and automatic downloads are enabled, uv will now use 3.14 instead of 3.13, e.g., for uv venv or uvx python. This change will not affect users who are using a .python-version file to pin to a specific Python version.

• Allow use of free-threaded variants in Python 3.14+ without explicit opt-in (#​16142)

  Previously, free-threaded variants of Python were considered experimental and required explicit opt-in (i.e., with 3.14t) for usage. Now uv will allow use of free-threaded Python 3.14+ interpreters without explicit selection. The GIL-enabled build of Python will still be preferred, e.g., when performing an installation with uv python install 3.14. However, e.g., if a free-threaded interpreter comes before a GIL-enabled build on the PATH, it will be used. This change does not apply to free-threaded Python 3.13 interpreters, which will continue to require opt-in.

• Use Python 3.14 stable Docker images (#​16150)

  Previously, the Python 3.14 images had an -rc suffix, e.g., python:3.14-rc-alpine or
  python:3.14-rc-trixie. Now, the -rc suffix has been removed to match the stable
  upstream images. The -rc images tags will no longer be
  updated. This change should not break existing workflows.

• Upgrade Alpine Docker image to Alpine 3.22

  Previously, the uv:alpine Docker image was based on Alpine 3.21. Now, this image is based on Alpine 3.22. The previous image can be recovered with uv:alpine3.21 and will continue to be updated until a future release.

• Upgrade Debian Docker images to Debian 13 "Trixie"

  Previously, the uv:debian and uv:debian-slim Docker images were based on Debian 12 "Bookworm". Now, these images are based on Debian 13 "Trixie". The previous images can be recovered with uv:bookworm and uv:bookworm-slim and will continue to be updated until a future release.

• Fix incorrect output path when a trailing / is used in uv build (#​15133)

  When using uv build in a workspace, the artifacts are intended to be written to a dist directory in the workspace root. A bug caused workspace root determination to fail when the input path included a trailing / causing the dist directory to be placed in the child directory. This bug has been fixed in this release. For example, uv build child/ is used, the output path will now be in <workspace root>/dist/ rather than <workspace root>/child/dist/.

Python

• Add CPython 3.14.0
• Add CPython 3.13.8

Enhancements

• Don't warn when a dependency is constrained by another dependency (#​16149)

Bug fixes

• Fix uv python upgrade / install output when there is a no-op for one request (#​16158)
• Surface pinned-version hint when uv tool upgrade can’t move the tool (#​16081)
• Ban pre-release versions in uv python upgrade requests (#​16160)
• Fix uv python upgrade replacement of installed binaries on pre-release to stable (#​16159)

Documentation

• Update uv pip compile args in layout.md (#​16155)

v0.8.24

Compare Source

Release Notes

Released on 2025-10-06.

Enhancements

• Emit a message on cache clean and prune when lock is held (#​16138)
• Add --force flag for uv cache prune (#​16137)

Documentation

• Fix example of bumping beta version without patch bump (#​16132)

Install uv 0.8.24

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.8.24/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.8.24/uv-installer.ps1 | iex"

Download uv 0.8.24

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
uv-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
uv-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
uv-powerpc64-unknown-linux-gnu.tar.gz	PPC64 Linux	checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz	RISCV Linux	checksum
uv-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
uv-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum
uv-armv7-unknown-linux-gnueabihf.tar.gz	ARMv7 Linux	checksum
uv-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
uv-i686-unknown-linux-musl.tar.gz	x86 MUSL Linux	checksum
uv-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum
uv-arm-unknown-linux-musleabihf.tar.gz	ARMv6 MUSL Linux (Hardfloat)	checksum
uv-armv7-unknown-linux-musleabihf.tar.gz	ARMv7 MUSL Linux	checksum

v0.8.23

Compare Source

Release Notes

Released on 2025-10-03.

Enhancements

• Build s390x on stable Rust compiler version (#​16082)
• Add UV_SKIP_WHEEL_FILENAME_CHECK to allow installing invalid wheels (#​16046)

Bug fixes

• Avoid rejecting already-installed URL distributions with --no-sources (#​16094)
• Confirm that the directory name is a valid Python install key during managed check (#​16080)
• Ignore origin when comparing installed tools (#​16055)
• Make cache control lookups robust to username (#​16088)
• Re-order lock validation checks by severity (#​16045)
• Remove tracking of inferred dependency conflicts (#​15909)
• Respect --no-color on the CLI (#​16044)
• Deduplicate marker-specific dependencies in uv pip tree output (#​16078)

Documentation

• Document transparent x86_64 emulation on aarch64 (#​16041)
• Document why we ban URLs from index dependencies (#​15929)
• Fix rendering of _CONDA_ROOT in reference (#​16114)
• Windows arm64 and Linux RISC-V64 are Tier 2 supported (#​16027)

Install uv 0.8.23

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.8.23/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.8.23/uv-installer.ps1 | iex"

Download uv 0.8.23

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
uv-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
uv-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
uv-powerpc64-unknown-linux-gnu.tar.gz	PPC64 Linux	checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz	RISCV Linux	checksum
uv-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
uv-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum
uv-armv7-unknown-linux-gnueabihf.tar.gz	ARMv7 Linux	checksum
uv-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
uv-i686-unknown-linux-musl.tar.gz	x86 MUSL Linux	checksum
uv-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum
uv-arm-unknown-linux-musleabihf.tar.gz	ARMv6 MUSL Linux (Hardfloat)	checksum
uv-armv7-unknown-linux-musleabihf.tar.gz	ARMv7 MUSL Linux	checksum

v0.8.22

Compare Source

Release Notes

Released on 2025-09-23.

Python

• Upgrade Pyodide to 0.28.3 (#​15999)

Security

• Upgrade astral-tokio-tar to 0.5.5 which hardens tar archive extraction (#​16004)

Install uv 0.8.22

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.8.22/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.8.22/uv-installer.ps1 | iex"

Download uv 0.8.22

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
uv-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
uv-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
uv-powerpc64-unknown-linux-gnu.tar.gz	PPC64 Linux	checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz	RISCV Linux	checksum
uv-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
uv-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum
uv-armv7-unknown-linux-gnueabihf.tar.gz	ARMv7 Linux	checksum
uv-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
uv-i686-unknown-linux-musl.tar.gz	x86 MUSL Linux	checksum
uv-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum
uv-arm-unknown-linux-musleabihf.tar.gz	ARMv6 MUSL Linux (Hardfloat)	checksum
uv-armv7-unknown-linux-musleabihf.tar.gz	ARMv7 MUSL Linux	checksum

v0.8.21

Compare Source

Release Notes

+Released on 2025-09-23.

Enhancements

• Refresh lockfile when --refresh is provided (#​15994)

Preview features

Add support for S3 request signing (#​15925)

Install uv 0.8.21

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.8.21/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.8.21/uv-installer.ps1 | iex"

Download uv 0.8.21

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
uv-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
uv-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
uv-powerpc64-unknown-linux-gnu.tar.gz	PPC64 Linux	checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz	RISCV Linux	checksum
uv-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
uv-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum
uv-armv7-unknown-linux-gnueabihf.tar.gz	ARMv7 Linux	checksum
uv-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
uv-i686-unknown-linux-musl.tar.gz	x86 MUSL Linux	checksum
uv-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum
uv-arm-unknown-linux-musleabihf.tar.gz	ARMv6 MUSL Linux (Hardfloat)	checksum
uv-armv7-unknown-linux-musleabihf.tar.gz	ARMv7 MUSL Linux	checksum

v0.8.20

Compare Source

Release Notes

Released on 2025-09-22.

Enhancements

• Add --force flag for uv cache clean (#​15992)
• Improve resolution errors with proxied packages (#​15200)

Preview features

• Allow upgrading pre-release versions of the same minor Python version (#​15959)

Bug fixes

• Hide freethreaded+debug Python downloads in uv python list (#​15985)
• Retain the cache lock and temporary caches during uv run and uvx (#​15990)

Documentation

• Add package level conflicts to the conflicting dependencies docs (#​15963)
• Document pyodide support (#​15962)
• Document support for free-threaded and debug Python versions (#​15961)
• Expand the contribution docs on issue selection (#​15966)
• Tweak title for viewing version in project guide (#​15964)

Install uv 0.8.20

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.8.20/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.8.20/uv-installer.ps1 | iex"

Download uv 0.8.20

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
[uv-aarch64-unknown-linux-gnu.tar.gz](https://redirect.github.com/astral-sh/uv/releases/downlo