Update dependency uv to v0.9.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
uv (source, changelog)	==0.9.5 -> ==0.9.6

GitHub Vulnerability Alerts

GHSA-pqhf-p39g-3x64

Impact

In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other components of the Python packaging ecosystem:

1. Central directory entries in a ZIP archive can contain comment fields. However, uv would assume that these fields were not present, since they aren't widely used. Consequently, a ZIP archive could be constructed where uv would interpret the contents of a central directory comment field as ZIP control structures (such as a new central directory entry), rather than skipping over them.
2. Both local file entries and central directory entries contain filename fields, which are used to place archive members on disk. These fields are arbitrary sequences of bytes, and may therefore be invalid or ambiguous. For example, they may contain ASCII null bytes, in which case different ZIP extractors behave differently: Python's zipfile module truncates the filename at the first null, while uv would skip (not extract) any archive members whose filenames contained nulls. Because of this difference, a ZIP archive could be constructed that would extract differently across different Python package installers.

In both cases, the outcome is that an attacker may be able to produce a ZIP with a consistent digest that expands differently with different Python package installers.

Like with GHSA-8qf3-x8v5-2pj8, the impact of these differentials is limited by a number of factors:

• To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv pip install $package or similar with an attacker-controlled $package.
  When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
• If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.

Patches

Versions 0.9.6 and newer of uv address both of the parser differentials above, by properly handling comments in central directory entries and by refusing to process ZIPs that contain filename fields that are unlikely to be interpreted consistently across other ZIP parser implementations.

Workarounds

Users are advised to upgrade to 0.9.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

Attribution

This vulnerability was disclosed by Caleb Brown (Google).

---

Release Notes

astral-sh/uv (uv)

v0.9.6

Compare Source

Released on 2025-10-29.

This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details.

Security

• Address ZIP parsing differentials (GHSA-pqhf-p39g-3x64)

Python

• Upgrade GraalPy to 25.0.1 (#​16401)

Enhancements

• Add --clear to uv build to remove old build artifacts (#​16371)
• Add --no-create-gitignore to uv build (#​16369)
• Do not error when a virtual environment directory cannot be removed due to a busy error (#​16394)
• Improve hint on pip install --system when externally managed (#​16392)
• Running uv lock --check with outdated lockfile will print that --check was passed, instead of --locked (#​16322)
• Update uv init template for Maturin (#​16449)
• Improve ordering of Python sources in logs (#​16463)
• Restore DockerHub release images and annotations (#​16441)

Bug fixes

• Check for matching Python implementation during uv python upgrade (#​16420)
• Deterministically order --find-links distributions (#​16446)
• Don't panic in uv export --frozen when the lockfile is outdated (#​16407)
• Fix root of uv tree when --package is used with circular dependencies (#​15908)
• Show package list with pip freeze --quiet (#​16491)
• Limit uv auth login pyx.dev retries to 60s (#​16498)
• Add an empty group with uv add --group ... -r ... (#​16490)

Documentation

• Update docs for maturin build backend init template (#​16469)
• Update docs to reflect previous changes to signal forwarding semantics (#​16430)
• Add instructions for installing via MacPorts (#​16039)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.