Error on --locked and --frozen when script lockfile is missing#18832
Merged
zanieb merged 4 commits intoastral-sh:mainfrom Apr 7, 2026
Merged
Error on --locked and --frozen when script lockfile is missing#18832zanieb merged 4 commits intoastral-sh:mainfrom
--locked and --frozen when script lockfile is missing#18832zanieb merged 4 commits intoastral-sh:mainfrom
Conversation
--locked and --frozen when script lockfile is missing
…lockfile When running a script with `--locked` or `--frozen` and no lockfile exists, uv now errors instead of warning and continuing. This prevents silently installing unverified dependencies when the user explicitly requested locked or frozen mode, which is a security concern for supply chain attacks. Closes astral-sh#18826 https://claude.ai/code/session_01HNhdSLdxRpLFN5NXkoUHiJ
… sources When `UV_LOCKED` or `UV_FROZEN` environment variables (or workspace config) are the source of the lock check, continue to warn instead of erroring when no script lockfile exists. This avoids breaking users who set `UV_LOCKED=1` globally across all their projects, some of which may include scripts without lockfiles. https://claude.ai/code/session_01HNhdSLdxRpLFN5NXkoUHiJ
Match the existing project lockfile error message style: "Unable to find lockfile for Python script, but `--locked` was provided." https://claude.ai/code/session_01HNhdSLdxRpLFN5NXkoUHiJ
007b24f to
716f3bb
Compare
Since `--locked` now errors instead of warning and continuing, the
`iniconfig` package is no longer downloaded during the `--locked` step.
The subsequent normal run must now download it fresh ("Prepared + Installed")
instead of finding it cached ("Checked").
https://claude.ai/code/session_01HNhdSLdxRpLFN5NXkoUHiJ
charliermarsh
approved these changes
Apr 3, 2026
Member
|
Honestly I think we should consider also erroring for |
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Apr 9, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [uv](https://github.com/astral-sh/uv) | patch | `0.11.3` → `0.11.5` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (uv)</summary> ### [`v0.11.5`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0115) [Compare Source](astral-sh/uv@0.11.4...0.11.5) Released on 2026-04-08. ##### Python - Add CPython 3.13.13, 3.14.4, and 3.15.0a8 ([#​18908](astral-sh/uv#18908)) ##### Enhancements - Fix `build_system.requires` error message ([#​18911](astral-sh/uv#18911)) - Remove trailing path separators in path normalization ([#​18915](astral-sh/uv#18915)) - Improve error messages for unsupported or invalid TLS certificates ([#​18924](astral-sh/uv#18924)) ##### Preview features - Add `exclude-newer` to `[[tool.uv.index]]` ([#​18839](astral-sh/uv#18839)) - `uv audit`: add context/warnings for ignored vulnerabilities ([#​18905](astral-sh/uv#18905)) ##### Bug fixes - Normalize persisted fork markers before lock equality checks ([#​18612](astral-sh/uv#18612)) - Clear junction properly when uninstalling Python versions on Windows ([#​18815](astral-sh/uv#18815)) - Report error cleanly instead of panicking on TLS certificate error ([#​18904](astral-sh/uv#18904)) ##### Documentation - Remove the legacy `PIP_COMPATIBILITY.md` redirect file ([#​18928](astral-sh/uv#18928)) - Fix `uv init example-bare --bare` examples ([#​18822](astral-sh/uv#18822), [#​18925](astral-sh/uv#18925)) ### [`v0.11.4`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0114) [Compare Source](astral-sh/uv@0.11.3...0.11.4) Released on 2026-04-07. ##### Enhancements - Add support for `--upgrade-group` ([#​18266](astral-sh/uv#18266)) - Merge repeated archive URL hashes by version ID ([#​18841](astral-sh/uv#18841)) - Require all direct URL hash algorithms to match ([#​18842](astral-sh/uv#18842)) ##### Bug fixes - Avoid panics in environment finding via cycle detection ([#​18828](astral-sh/uv#18828)) - Enforce direct URL hashes for `pyproject.toml` dependencies ([#​18786](astral-sh/uv#18786)) - Error on `--locked` and `--frozen` when script lockfile is missing ([#​18832](astral-sh/uv#18832)) - Fix `uv export` extra resolution for workspace member and conflicting extras ([#​18888](astral-sh/uv#18888)) - Include conflicts defined in virtual workspace root ([#​18886](astral-sh/uv#18886)) - Recompute relative `exclude-newer` values during `uv tree --outdated` ([#​18899](astral-sh/uv#18899)) - Respect `--exclude-newer` in `uv tool list --outdated` ([#​18861](astral-sh/uv#18861)) - Sort by comparator to break specifier ties ([#​18850](astral-sh/uv#18850)) - Store relative timestamps in tool receipts ([#​18901](astral-sh/uv#18901)) - Track newly-activated extras when determining conflicts ([#​18852](astral-sh/uv#18852)) - Patch `Cargo.lock` in `uv-build` source distributions ([#​18831](astral-sh/uv#18831)) ##### Documentation - Clarify that `--exclude-newer` compares artifact upload times ([#​18830](astral-sh/uv#18830)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjEwOS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6cGF0Y2giXX0=-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
However, we do not error when these are set as environment variables for backwards compatibility and general safety since those variables could only be intended for project use.
Closes #18826