Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: astral-sh/uv
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 0.11.5
Choose a base ref
...
head repository: astral-sh/uv
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 0.11.6
Choose a head ref
  • 4 commits
  • 166 files changed
  • 3 contributors

Commits on Apr 9, 2026

  1. Do not remove files outside the venv on uninstall (#18942) 

    Check that only files inside the installation scheme can be removed when
uv uninstalls a package. This fixes a bug where uv would try to remove
arbitrary files due to a malformed or malicious RECORD file in a wheel.
For venvs, the installation prefix is the entire venv, as `.data/data`
allows wheels to write to the entire venv, so all files in the venv can
also be removed.

This is both a correctness fix (uv should never remove files outside its
domain) and a low severity security fix, where a malicious wheel could
remove a user's files during uninstallation, such as a `uv sync` that
upgrades the package version. Note that this requires an attacker having
control over the wheel, which also allows them to modify arbitrary
Python code. There are no known cases of wheels actually referencing
files outside the installation scheme in their RECORD.
    @konstin
    konstin authored Apr 9, 2026
    Configuration menu
    Copy the full SHA
    a0e461a View commit details
    Browse the repository at this point in the history

  2. Avoid uv cache clean errors due to Win32 path normalization (#18856) 

    ## Summary

Closes #16586

Adds a public function to `uv-fs` crate called `verbatim_path` which is
now leveraged by `rm_rf` in `uv-cache` crate for cleaning paths that
require verbatim composition to avoid failures seen in #16586.

## Test Plan

Tested locally on Windows 10 and 11 by setting `UV_CACHE_DIR` to a local
directory and then running `uv init`, `uv add uwsgi`, and `uv cache
clean` to ensure there is no failures.

Additionally unit and integration tests were added to avoid future
regressions.
    @samypr100
    samypr100 authored Apr 9, 2026
    Configuration menu
    Copy the full SHA
    b38439b View commit details
    Browse the repository at this point in the history

  3. Validate and heal RECORD during installation (#18943) 

    Check the RECORD of a wheel file and heal it if necessary, to ensure the
RECORD and the wheel contents always match, and uninstallation can't
remove files that don't belong to the wheel. This check and repair
happen between unpacking a wheel and persisting it in the cache,
ensuring that every wheel that ends up in the cache has a valid RECORD.

We collect the paths from the archive in the unpacking step, I added it
in all unpacking steps for consistency. I also improved the consistency
around RECORD handling code.

---------

Co-authored-by: Zanie Blue <contact@zanie.dev>
    @konstin @zanieb
    konstin and zanieb authored Apr 9, 2026
    Configuration menu
    Copy the full SHA
    7983c7a View commit details
    Browse the repository at this point in the history

  4. Bump version to 0.11.6 (#18948)

    @konstin
    konstin authored Apr 9, 2026
    Configuration menu
    Copy the full SHA
    6595080 View commit details
    Browse the repository at this point in the history
Loading