Update dependency uv to v0.11.6 [SECURITY]

[RKIMetadataExchange]

This PR contains the following updates:

Package	Update	Change
uv (source, changelog)	patch	==0.11.2 → ==0.11.6

GitHub Vulnerability Alerts

GHSA-pjjw-68hj-v9mw

Impact

Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall.

uv uses the RECORD to determine files to remove on uninstall. Consequently, a malicious or malformed wheel could induce deletion of arbitrary files outside of the wheel’s installation prefix on uninstall.

uv does not use the RECORD file to determine wheel file paths. Invalid RECORD entries cannot be used to create or modify files in arbitrary locations.

Standards-compliant Python packaging tooling does not produce RECORD files that exhibit this behavior; an attacker must manually manipulate the RECORD. A user must install and uninstall the malformed wheel to be affected. An attack must guess the depth of the installation prefix path in order to target system files.

Absolute paths in RECORD files are not allowed by the specification and, when present, uv always treats them as rooted in the wheel’s installation prefix. Absolute paths cannot be used to delete arbitrary files.

Only files can be deleted, attempts to delete a directory via an invalid RECORD entry will fail.

Patches

Versions 0.11.6 and newer of uv address the validation gap above, by removing invalid entries from RECORD files on wheel installation and ignoring RECORD paths that would escape the installation prefix on uninstall.

Workarounds

Users are advised to upgrade to 0.11.6 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.

Severity

• CVSS Score: 2.1 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

---

Release Notes

astral-sh/uv (uv)

v0.11.6

Compare Source

Released on 2026-04-09.

This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.

Bug fixes

• Do not remove files outside the venv on uninstall (#​18942)
• Validate and heal wheel RECORD during installation (#​18943)
• Avoid uv cache clean errors due to Win32 path normalization (#​18856)

v0.11.5

Compare Source

Released on 2026-04-08.

Python

• Add CPython 3.13.13, 3.14.4, and 3.15.0a8 (#​18908)

Enhancements

• Fix build_system.requires error message (#​18911)
• Remove trailing path separators in path normalization (#​18915)
• Improve error messages for unsupported or invalid TLS certificates (#​18924)

Preview features

• Add exclude-newer to [[tool.uv.index]] (#​18839)
• uv audit: add context/warnings for ignored vulnerabilities (#​18905)

Bug fixes

• Normalize persisted fork markers before lock equality checks (#​18612)
• Clear junction properly when uninstalling Python versions on Windows (#​18815)
• Report error cleanly instead of panicking on TLS certificate error (#​18904)

Documentation

• Remove the legacy PIP_COMPATIBILITY.md redirect file (#​18928)
• Fix uv init example-bare --bare examples (#​18822, #​18925)

v0.11.4

Compare Source

Released on 2026-04-07.

Enhancements

• Add support for --upgrade-group (#​18266)
• Merge repeated archive URL hashes by version ID (#​18841)
• Require all direct URL hash algorithms to match (#​18842)

Bug fixes

• Avoid panics in environment finding via cycle detection (#​18828)
• Enforce direct URL hashes for pyproject.toml dependencies (#​18786)
• Error on --locked and --frozen when script lockfile is missing (#​18832)
• Fix uv export extra resolution for workspace member and conflicting extras (#​18888)
• Include conflicts defined in virtual workspace root (#​18886)
• Recompute relative exclude-newer values during uv tree --outdated (#​18899)
• Respect --exclude-newer in uv tool list --outdated (#​18861)
• Sort by comparator to break specifier ties (#​18850)
• Store relative timestamps in tool receipts (#​18901)
• Track newly-activated extras when determining conflicts (#​18852)
• Patch Cargo.lock in uv-build source distributions (#​18831)

Documentation

• Clarify that --exclude-newer compares artifact upload times (#​18830)

v0.11.3

Compare Source

Released on 2026-04-01.

Enhancements

• Add progress bar for hashing phase in uv publish (#​18752)
• Add support for ROCm 7.2 (#​18730)
• Emit abi3t tags for every abi3 version (#​18777)
• Expand uv workspace metadata with dependency information from the lock (#​18356)
• Implement support for PEP 803 (#​18767)
• Pretty-print platform in built wheel errors (#​18738)
• Publish installers to /installers/uv/latest on the mirror (#​18725)
• Show free-threaded Python in built-wheel errors (#​18740)

Preview features

• Add --ignore and --ignore-until-fixed to uv audit (#​18737)

Bug fixes

• Bump simple API cache (#​18797)
• Don't drop blake2b hashes (#​18794)
• Handle broken range request implementations (#​18780)
• Remove powerpc64-unknown-linux-gnu from release build targets (#​18800)
• Respect dependency metadata overrides in uv pip check (#​18742)
• Support debug CPython ABI tags in environment compatibility (#​18739)

Documentation

• Document false opt-out for exclude-newer-package (#​18768, #​18803)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box