Bump version to v0.8.6 (#15137)

charliermarsh · web-flow · commit 329a6b446a86 · 2025-08-07T16:17:14.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,41 @@
 
 <!-- prettier-ignore-start -->
 
+## 0.8.6
+
+This release contains hardening measures to address differentials in behavior between uv and Python's built-in ZIP parser (CVE-2025-54368).
+
+Prior to this release, attackers could construct ZIP files that would be extracted differently by pip, uv, and other tools. As a result, ZIPs could be constructed that would be considered harmless by (e.g.) scanners, but contain a malicious payload when extracted by uv. As of v0.8.6, uv now applies additional checks to reject such ZIPs.
+
+Thanks to a triage effort with the [Python Security Response Team](https://devguide.python.org/developer-workflow/psrt/) and PyPI maintainers, we were able to determine that these differentials **were not exploited** via PyPI during the time they were present. The PyPI team has also implemented similar checks and now guards against these parsing differentials on upload.
+
+Although the practical risk of exploitation is low, we take the _hypothetical_ risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this advisory a CVE identifier and have given it a "moderate" severity suggestion.
+
+These changes have been validated against the top 15,000 PyPI packages; however, it's plausible that a non-malicious ZIP could be falsely rejected with this additional hardening. As an escape hatch, users who do encounter breaking changes can enable `UV_INSECURE_NO_ZIP_VALIDATION` to restore the previous behavior. If you encounter such a rejection, please file an issue in uv and to the upstream package.
+
+### Security
+
+- Harden ZIP streaming to reject repeated entries and other malformed ZIP files ([#15136](https://github.com/astral-sh/uv/pull/15136))
+
+### Enhancements
+
+- Sync latest Python releases ([#15135](https://github.com/astral-sh/uv/pull/15135))
+
+### Configuration
+
+- Add support for per-project build-time environment variables ([#15095](https://github.com/astral-sh/uv/pull/15095))
+
+### Bug fixes
+
+- Avoid invalid simplification with conflict markers  ([#15041](https://github.com/astral-sh/uv/pull/15041))
+- Respect `UV_HTTP_RETRIES` in `uv publish` ([#15106](https://github.com/astral-sh/uv/pull/15106))
+- Support `UV_NO_EDITABLE` where `--no-editable` is supported ([#15107](https://github.com/astral-sh/uv/pull/15107))
+- Upgrade `cargo-dist` to add `UV_INSTALLER_URL` to PowerShell installer ([#15114](https://github.com/astral-sh/uv/pull/15114))
+- Upgrade `h2` again to avoid `too_many_internal_resets` errors ([#15111](https://github.com/astral-sh/uv/pull/15111))
+
+### Documentation
+
+- Ensure symlink warning is shown ([#15126](https://github.com/astral-sh/uv/pull/15126))
 
 ## 0.8.5
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/uv-build/Cargo.toml b/crates/uv-build/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "uv-build"
-version = "0.8.5"
+version = "0.8.6"
 edition = { workspace = true }
 rust-version = { workspace = true }
 homepage = { workspace = true }
diff --git a/crates/uv-build/pyproject.toml b/crates/uv-build/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "uv-build"
-version = "0.8.5"
+version = "0.8.6"
 description = "The uv build backend"
 authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }]
 requires-python = ">=3.8"
diff --git a/crates/uv-version/Cargo.toml b/crates/uv-version/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "uv-version"
-version = "0.8.5"
+version = "0.8.6"
 edition = { workspace = true }
 rust-version = { workspace = true }
 homepage = { workspace = true }
diff --git a/crates/uv/Cargo.toml b/crates/uv/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "uv"
-version = "0.8.5"
+version = "0.8.6"
 edition = { workspace = true }
 rust-version = { workspace = true }
 homepage = { workspace = true }
diff --git a/docs/concepts/build-backend.md b/docs/concepts/build-backend.md
@@ -31,7 +31,7 @@ To use uv as a build backend in an existing project, add `uv_build` to the
 
 ```toml title="pyproject.toml"
 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```
 
diff --git a/docs/concepts/projects/init.md b/docs/concepts/projects/init.md
@@ -111,7 +111,7 @@ dependencies = []
 example-pkg = "example_pkg:main"
 
 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```
 
@@ -134,7 +134,7 @@ dependencies = []
 example-pkg = "example_pkg:main"
 
 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```
 
@@ -195,7 +195,7 @@ requires-python = ">=3.11"
 dependencies = []
 
 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```
 
diff --git a/docs/concepts/projects/workspaces.md b/docs/concepts/projects/workspaces.md
@@ -75,7 +75,7 @@ bird-feeder = { workspace = true }
 members = ["packages/*"]
 
 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```
 
@@ -106,7 +106,7 @@ tqdm = { git = "https://github.com/tqdm/tqdm" }
 members = ["packages/*"]
 
 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```
 
@@ -188,7 +188,7 @@ dependencies = ["bird-feeder", "tqdm>=4,<5"]
 bird-feeder = { path = "packages/bird-feeder" }
 
 [build-system]
-requires = ["uv_build>=0.8.5,<0.9.0"]
+requires = ["uv_build>=0.8.6,<0.9.0"]
 build-backend = "uv_build"
 ```
 
diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md
@@ -25,7 +25,7 @@ uv provides a standalone installer to download and install uv:
     Request a specific version by including it in the URL:
 
     ```console
-    $ curl -LsSf https://astral.sh/uv/0.8.5/install.sh | sh
+    $ curl -LsSf https://astral.sh/uv/0.8.6/install.sh | sh
     ```
 
 === "Windows"
@@ -41,7 +41,7 @@ uv provides a standalone installer to download and install uv:
     Request a specific version by including it in the URL:
 
     ```pwsh-session
-    PS> powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/0.8.5/install.ps1 | iex"
+    PS> powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/0.8.6/install.ps1 | iex"
     ```
 
 !!! tip
diff --git a/docs/guides/integration/aws-lambda.md b/docs/guides/integration/aws-lambda.md
@@ -92,7 +92,7 @@ the second stage, we'll copy this directory over to the final image, omitting th
 other unnecessary files.
 
 ```dockerfile title="Dockerfile"
-FROM ghcr.io/astral-sh/uv:0.8.5 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.6 AS uv
 
 # First, bundle the dependencies into the task root.
 FROM public.ecr.aws/lambda/python:3.13 AS builder
@@ -334,7 +334,7 @@ And confirm that opening http://127.0.0.1:8000/ in a web browser displays, "Hell
 Finally, we'll update the Dockerfile to include the local library in the deployment package:
 
 ```dockerfile title="Dockerfile"
-FROM ghcr.io/astral-sh/uv:0.8.5 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.6 AS uv
 
 # First, bundle the dependencies into the task root.
 FROM public.ecr.aws/lambda/python:3.13 AS builder
diff --git a/docs/guides/integration/docker.md b/docs/guides/integration/docker.md
@@ -31,7 +31,7 @@ $ docker run --rm -it ghcr.io/astral-sh/uv:debian uv --help
 The following distroless images are available:
 
 - `ghcr.io/astral-sh/uv:latest`
-- `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}`, e.g., `ghcr.io/astral-sh/uv:0.8.5`
+- `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}`, e.g., `ghcr.io/astral-sh/uv:0.8.6`
 - `ghcr.io/astral-sh/uv:{major}.{minor}`, e.g., `ghcr.io/astral-sh/uv:0.8` (the latest patch
   version)
 
@@ -75,7 +75,7 @@ And the following derived images are available:
 
 As with the distroless image, each derived image is published with uv version tags as
 `ghcr.io/astral-sh/uv:{major}.{minor}.{patch}-{base}` and
-`ghcr.io/astral-sh/uv:{major}.{minor}-{base}`, e.g., `ghcr.io/astral-sh/uv:0.8.5-alpine`.
+`ghcr.io/astral-sh/uv:{major}.{minor}-{base}`, e.g., `ghcr.io/astral-sh/uv:0.8.6-alpine`.
 
 In addition, starting with `0.8` each derived image also sets `UV_TOOL_BIN_DIR` to `/usr/local/bin`
 to allow `uv tool install` to work as expected with the default user.
@@ -116,7 +116,7 @@ Note this requires `curl` to be available.
 In either case, it is best practice to pin to a specific uv version, e.g., with:
 
 ```dockerfile
-COPY --from=ghcr.io/astral-sh/uv:0.8.5 /uv /uvx /bin/
+COPY --from=ghcr.io/astral-sh/uv:0.8.6 /uv /uvx /bin/
 ```
 
 !!! tip
@@ -134,7 +134,7 @@ COPY --from=ghcr.io/astral-sh/uv:0.8.5 /uv /uvx /bin/
 Or, with the installer:
 
 ```dockerfile
-ADD https://astral.sh/uv/0.8.5/install.sh /uv-installer.sh
+ADD https://astral.sh/uv/0.8.6/install.sh /uv-installer.sh
 ```
 
 ### Installing a project
@@ -560,5 +560,5 @@ Verified OK
 !!! tip
 
     These examples use `latest`, but best practice is to verify the attestation for a specific
-    version tag, e.g., `ghcr.io/astral-sh/uv:0.8.5`, or (even better) the specific image digest,
+    version tag, e.g., `ghcr.io/astral-sh/uv:0.8.6`, or (even better) the specific image digest,
     such as `ghcr.io/astral-sh/uv:0.5.27@sha256:5adf09a5a526f380237408032a9308000d14d5947eafa687ad6c6a2476787b4f`.
diff --git a/docs/guides/integration/github.md b/docs/guides/integration/github.md
@@ -47,7 +47,7 @@ jobs:
         uses: astral-sh/setup-uv@v6
         with:
           # Install a specific version of uv.
-          version: "0.8.5"
+          version: "0.8.6"
 ```
 
 ## Setting up Python
diff --git a/docs/guides/integration/pre-commit.md b/docs/guides/integration/pre-commit.md
@@ -19,7 +19,7 @@ To make sure your `uv.lock` file is up to date even if your `pyproject.toml` fil
 repos:
   - repo: https://github.com/astral-sh/uv-pre-commit
     # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
     hooks:
       - id: uv-lock
 ```
@@ -30,7 +30,7 @@ To keep a `requirements.txt` file in sync with your `uv.lock` file:
 repos:
   - repo: https://github.com/astral-sh/uv-pre-commit
     # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
     hooks:
       - id: uv-export
 ```
@@ -41,7 +41,7 @@ To compile requirements files:
 repos:
   - repo: https://github.com/astral-sh/uv-pre-commit
     # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
     hooks:
       # Compile requirements
       - id: pip-compile
@@ -54,7 +54,7 @@ To compile alternative requirements files, modify `args` and `files`:
 repos:
   - repo: https://github.com/astral-sh/uv-pre-commit
     # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
     hooks:
       # Compile requirements
       - id: pip-compile
@@ -68,7 +68,7 @@ To run the hook over multiple files at the same time, add additional entries:
 repos:
   - repo: https://github.com/astral-sh/uv-pre-commit
     # uv version.
-    rev: 0.8.5
+    rev: 0.8.6
     hooks:
       # Compile requirements
       - id: pip-compile
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "uv"
-version = "0.8.5"
+version = "0.8.6"
 description = "An extremely fast Python package and project manager, written in Rust."
 authors = [{ name = "Astral Software Inc.", email = "hey@astral.sh" }]
 requires-python = ">=3.8"
