chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
biome		patch	2.3.0 -> 2.3.6
esbuild		minor	0.25.11 -> 0.27.0
github.com/alecthomas/kong	require	minor	v1.12.1 -> v1.13.0
go		patch	1.25.3 -> 1.25.4
go (source)	toolchain	patch	1.25.3 -> 1.25.4
hyperfine		minor	1.19.0 -> 1.20.0
svu		minor	3.2.4 -> 3.3.0
uv		patch	0.9.5 -> 0.9.10

---

Release Notes

biomejs/biome (biome)

v2.3.6: Biome CLI v2.3.6

2.3.6

Patch Changes

• #​8100 82b9a8e Thanks @​Netail! - Added the nursery rule useFind. Enforce the use of Array.prototype.find() over Array.prototype.filter() followed by [0] when looking for a single result.

  Invalid:

  [1, 2, 3].filter((x) => x > 1)[0];
  
  [1, 2, 3].filter((x) => x > 1).at(0);

• #​8118 dbc7021 Thanks @​hirokiokada77! - Fixed #​8117: useValidLang now accepts valid BCP 47 language tags with script subtags.

  Valid:

  <html lang="zh-Hans-CN"></html>

• #​7672 f1d5725 Thanks @​Netail! - Added the nursery rule useConsistentGraphqlDescriptions, requiring all descriptions to follow the same style (either block or inline) inside GraphQL files.

  Invalid:

  enum EnumValue {
    "this is a description"
    DEFAULT
  }

  Valid:

  enum EnumValue {
    """
    this is a description
    """
    DEFAULT
  }

• #​8026 f102661 Thanks @​matanshavit! - Fixed #​8004: noParametersOnlyUsedInRecursion now correctly detects recursion by comparing function bindings instead of just names.

  Previously, the rule incorrectly flagged parameters when a method had the same name as an outer function but called the outer function (not itself):

  function notRecursive(arg) {
    return arg;
  }
  
  const obj = {
    notRecursive(arg) {
      return notRecursive(arg); // This calls the outer function, not the method itself
    },
  };

  Biome now properly distinguishes between these cases and will not report false positives.

• #​8097 5fc5416 Thanks @​dyc3! - Added the nursery rule noVueVIfWithVFor. This rule disallows v-for and v-if on the same element.

  <!-- Invalid -->
  <div v-for="item in items" v-if="item.isActive">
    {{ item.name }}
  </div>

• #​8085 7983940 Thanks @​Netail! - Added the nursery rule noForIn. Disallow iterating using a for-in loop.

  Invalid:

  for (const i in array) {
    console.log(i, array[i]);
  }

• #​8086 2b41e82 Thanks @​matanshavit! - Fixed #​8045: The noNestedTernary rule now correctly detects nested ternary expressions even when they are wrapped in parentheses (e.g. foo ? (bar ? 1 : 2) : 3).

  Previously, the rule would not flag nested ternaries like foo ? (bar ? 1 : 2) : 3 because the parentheses prevented detection. The rule now looks through parentheses to identify nested conditionals.

  Previously not detected (now flagged):

  const result = foo ? (bar ? 1 : 2) : 3;

  Still valid (non-nested with parentheses):

  const result = foo ? bar : baz;

• #​8075 e403868 Thanks @​YTomm! - Fixed #​7948: The useReadonlyClassProperties code fix when checkAllProperties is enabled will no longer insert a newline after readonly and the class property.

• #​8102 47d940e Thanks @​lucasweng! - Fixed #​8027. useReactFunctionComponents no longer reports class components that implement componentDidCatch using class expressions.

  The rule now correctly recognizes error boundaries defined as class expressions:

  const ErrorBoundary = class extends Component {
    componentDidCatch(error, info) {}
  
    render() {
      return this.props.children;
    }
  };

• #​8097 5fc5416 Thanks @​dyc3! - Added the nursery rule useVueHyphenatedAttributes, which encourages using kebab case for attribute names, per the Vue style guide's recommendations.

  <!-- Invalid -->
  <MyComponent myProp="value" />
  
  <!-- Valid -->
  <MyComponent my-prop="value" />

• #​8108 0f0a658 Thanks @​Netail! - Added the nursery rule noSyncScripts. Prevent the usage of synchronous scripts.

  Invalid:

  <script src="https://third-party-script.js" />

  Valid:

  <script src="https://third-party-script.js" async />
  <script src="https://third-party-script.js" defer />

• #​8098 1fdcaf0 Thanks @​Jayllyz! - Added documentation URLs to rule descriptions in the JSON schema.

• #​8097 5fc5416 Thanks @​dyc3! - Fixed an issue with the HTML parser where it would treat Vue directives with dynamic arguments as static arguments instead.

• #​7684 f4433b3 Thanks @​vladimir-ivanov! - Changed noUnusedPrivateClassMembers to align more fully with meaningful reads.

  This rule now distinguishes more carefully between writes and reads of private class members.

  • A meaningful read is any access that affects program behavior.
  • For example, this.#x += 1 both reads and writes #x, so it counts as usage.
  • Pure writes without a read (e.g. this.#x = 1 with no getter) are no longer treated as usage.

  This change ensures that private members are only considered “used” when they are actually read in a way that influences execution.

  Invalid examples (previously valid)

  class UsedMember {
    set #x(value) {
      doSomething(value);
    }
  
    foo() {
      // This assignment does not actually read #x, because there is no getter.
      // Previously, this was considered a usage, but now it’s correctly flagged.
      this.#x = 1;
    }
  }

  Valid example (Previously invalid)

  class Foo {
    #usedOnlyInWriteStatement = 5;
  
    method() {
      // This counts as a meaningful read because we both read and write the value.
      this.#usedOnlyInWriteStatement += 42;
    }
  }

• #​7684 f4433b3 Thanks @​vladimir-ivanov! - Improved detection of used private class members

  The analysis for private class members has been improved: now the tool only considers a private member “used” if it is actually referenced in the code.

  • Previously, some private members might have been reported as used even if they weren’t actually accessed.
  • With this change, only members that are truly read or called in the code are counted as used.
  • Members that are never accessed will now be correctly reported as unused.

  This makes reports about unused private members more accurate and helps you clean up truly unused code.

  Example (previously valid)

  type YesNo = "yes" | "no";
  
  export class SampleYesNo {
    private yes: () => void;
    private no: () => void;
    private dontKnow: () => void; // <- will now report as unused
  
    on(action: YesNo): void {
      this[action]();
    }
  }

• #​7681 b406db6 Thanks @​kedevked! - Added the new lint rule, useSpread, ported from the ESLint rule prefer-spread.

  This rule enforces the use of the spread syntax (...) over Function.prototype.apply() when calling variadic functions, as spread syntax is generally more concise and idiomatic in modern JavaScript (ES2015+).

  The rule provides a safe fix.

Invalid

Math.max.apply(Math, args);
foo.apply(undefined, args);
obj.method.apply(obj, args);

Valid

Math.max(...args);
foo(...args);
obj.method(...args);

// Allowed: cases where the `this` binding is intentionally changed
foo.apply(otherObj, args);

• #​7287 aa55c8d Thanks @​ToBinio! - Fixed #​7205: The noDuplicateTestHooks rule now treats chained describe variants (e.g., describe.each/for/todo) as proper describe scopes, eliminating false positives.

  The following code will no longer be a false positive:

  describe("foo", () => {
    describe.for([])("baz", () => {
      beforeEach(() => {});
    });
  
    describe.todo("qux", () => {
      beforeEach(() => {});
    });
  
    describe.todo.each([])("baz", () => {
      beforeEach(() => {});
    });
  });

• #​8013 0c0edd4 Thanks @​Jayllyz! - Added the GraphQL nursery rule useUniqueGraphqlOperationName. This rule ensures that all GraphQL operations within a document have unique names.

  Invalid:

  query user {
    user {
      id
    }
  }
  
  query user {
    user {
      id
      email
    }
  }

  Valid:

  query user {
    user {
      id
    }
  }
  
  query userWithEmail {
    user {
      id
      email
    }
  }

• #​8084 c2983f9 Thanks @​dyc3! - Fixed #​8080: The HTML parser, when parsing Vue, can now properly handle Vue directives with no argument, modifiers, or initializer (e.g. v-else). It will no longer treat subsequent valid attributes as bogus.

  <p v-else class="flex">World</p>
  <!-- Fixed: class now gets parsed as it's own attribute -->

• #​8104 041196b Thanks @​Conaclos! - Fixed noInvalidUseBeforeDeclaration.
  The rule no longer reports a use of an ambient variable before its declarations.
  The rule also completely ignores TypeScript declaration files.
  The following code is no longer reported as invalid:

  CONSTANT;
  declare const CONSTANT: number;

• #​8060 ba7b076 Thanks @​dyc3! - Added the nursery rule useVueValidVBind, which enforces the validity of v-bind directives in Vue files.

  Invalid v-bind usages include:

  <Foo v-bind />
  <!-- Missing argument -->
  <Foo v-bind:foo />
  <!-- Missing value -->
  <Foo v-bind:foo.bar="baz" />
  <!-- Invalid modifier -->

• #​8113 fb8e3e7 Thanks @​Conaclos! - Fixed noInvalidUseBeforeDeclaration.
  The rule now reports invalid use of classes, enums, and TypeScript's import-equals before their declarations.

  The following code is now reported as invalid:

  new C();
  class C {}

• #​8077 0170dcb Thanks @​dyc3! - Added the rule useVueValidVElseIf to enforce valid v-else-if directives in Vue templates. This rule reports invalid v-else-if directives with missing conditional expressions or when not preceded by a v-if or v-else-if directive.

• #​8077 0170dcb Thanks @​dyc3! - Added the rule useVueValidVElse to enforce valid v-else directives in Vue templates. This rule reports v-else directives that are not preceded by a v-if or v-else-if directive.

• #​8077 0170dcb Thanks @​dyc3! - Added the rule useVueValidVHtml to enforce valid usage of the v-html directive in Vue templates. This rule reports v-html directives with missing expressions, unexpected arguments, or unexpected modifiers.

• #​8077 0170dcb Thanks @​dyc3! - Added the rule useVueValidVIf to enforce valid v-if directives in Vue templates. It disallows arguments and modifiers, and ensures a value is provided.

• #​8077 0170dcb Thanks @​dyc3! - Added the rule useVueValidVOn to enforce valid v-on directives in Vue templates. This rule reports invalid v-on / shorthand @ directives with missing event names, invalid modifiers, or missing handler expressions.

What's Changed

• refactor(cli/logging): removed duplication in setup_cli_subscriber(...) by @​JadKHaddad in #​7531
• perf(parse/tailwind): use compact trie for lexing base names instead of linear search by @​dyc3 in #​7977
• feat(biome_graphql_analyze): implement useConsistentGraphqlDescriptions by @​Netail in #​7672
• fix: remove unexpected new line when adding a readonly class property by @​YTomm in #​8075
• feat(html/analyze): add useVueValidVBind by @​dyc3 in #​8060
• fix(noDuplicateTestHook): detect more test function defintions by @​ToBinio in #​7287
• fix(noParametersOnlyUsedInRecursion): compare bindings for recursion detection by @​matanshavit in #​8026
• feat(html/analyze): add useVueValidVIf, useVueValidVElseIf, useVueValidVElse, useVueValidVOn and useVueValidVHtml by @​dyc3 in #​8077
• refactor(lint): refactor NoParametersOnlyUsedInRecursion by @​matanshavit in #​7970
• fix(parse/html/vue): fix modifier list parser aggressively parsing tokens it shouldn't by @​dyc3 in #​8084
• feat(js_analyze): implement noForIn by @​Netail in #​8085
• fix(noNestedTernary): detect nested ternaries wrapped in parentheses by @​matanshavit in #​8086
• refactor: migrate to schemars v1 by @​ematipico in #​8087
• feat(graphql_analyze): add useUniqueGraphqlOperationName by @​Jayllyz in #​8013
• chore: regression schemars v1 by @​ematipico in #​8092
• refactor(core): actions and pull diagnostics by @​ematipico in #​8082
• chore: enable oidc publishing by @​ematipico in #​8074
• chore: expose schema generation function by @​ematipico in #​8093
• feat: add useSpread rule by @​kedevked in #​7681
• chore(core): add CSS variant information to the source file by @​ematipico in #​8095
• feat(schema): add docs URLs to rule description by @​Jayllyz in #​8098
• feat(js_analyze): implement useFind by @​Netail in #​8100
• feat(biome_js_analyze): align no_unused_private_class_members_with_semantic_class and dynamic prop access by @​vladimir-ivanov in #​7684
• feat(analyze): implement noSyncScripts by @​Netail in #​8108
• fix(noInvalidUseBeforeDeclaration): don't report use before ambient var declaration by @​Conaclos in #​8104
• fix(noInvalidUseBeforeDeclaration): handle class, enum, import-equals by @​Conaclos in #​8113
• fix(useReactFunctionComponents): handle class expressions with componentDidCatch by @​lucasweng in #​8102
• feat(lint/vue): add noVueVIfWithVFor, useVueHyphenatedAttributes by @​dyc3 in #​8097
• chore(deps): update github-actions by @​renovate[bot] in #​8121
• chore(deps): update dependency @​types/node to v22.19.1 by @​renovate[bot] in #​8122
• chore(deps): update dependency rust to v1.91.1 by @​renovate[bot] in #​8123
• chore(deps): update taiki-e/install-action action to v2.62.52 by @​renovate[bot] in #​8126
• chore(deps): update typescript-eslint monorepo to v8.46.4 by @​renovate[bot] in #​8127
• fix(biome_js_analyze): fix useValidLang rejecting BCP 47 language tags with script subtags by @​hirokiokada77 in #​8118
• fix(deps): update @​biomejs packages by @​renovate[bot] in #​8129
• fix(deps): update rust crates by @​renovate[bot] in #​8130
• chore(deps): update rust crate schemars to 1.1.0 by @​renovate[bot] in #​8124
• chore(deps): update rust crate windows to 0.62.2 by @​renovate[bot] in #​8053
• chore(deps): update @​biomejs packages (major) by @​renovate[bot] in #​8131
• chore(deps): update dependency @​types/node to v24 by @​renovate[bot] in #​8132
• chore: schema regression rule domains by @​ematipico in #​8133
• chore: disable docstrings in coderabbit by @​ematipico in #​8134
• ci: release by @​github-actions[bot] in #​8076

New Contributors

• @​JadKHaddad made their first contribution in #​7531
• @​YTomm made their first contribution in #​8075
• @​ToBinio made their first contribution in #​7287
• @​hirokiokada77 made their first contribution in #​8118

Full Changelog: https://github.com/biomejs/biome/compare/@biomejs/biome@2.3.5...@​biomejs/biome@2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

evanw/esbuild (esbuild)

v0.27.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.26.0 or ~0.26.0. See npm's documentation about semver for more information.

• Use Uint8Array.fromBase64 if available (#​4286)

  With this release, esbuild's binary loader will now use the new Uint8Array.fromBase64 function unless it's unavailable in the configured target environment. If it's unavailable, esbuild's previous code for this will be used as a fallback. Note that this means you may now need to specify target when using this feature with Node (for example --target=node22) unless you're using Node v25+.

• Update the Go compiler from v1.23.12 to v1.25.4 (#​4208, #​4311)

  This raises the operating system requirements for running esbuild:

  • Linux: now requires a kernel version of 3.2 or later
  • macOS: now requires macOS 12 (Monterey) or later

v0.25.12

Compare Source

• Fix a minification regression with CSS media queries (#​4315)

  The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

• Update the list of known JavaScript globals (#​4310)

  This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

  From ES2017:

  • Atomics
  • SharedArrayBuffer

  From ES2020:

  • BigInt64Array
  • BigUint64Array

  From ES2021:

  • FinalizationRegistry
  • WeakRef

  From ES2025:

  • Float16Array
  • Iterator

  Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

  // This can now be tree-shaken by esbuild:
  class ExampleIterator extends Iterator {}

• Add support for the new @view-transition CSS rule (#​4313)

  With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):

  /* Original code */
  @​view-transition {
    navigation: auto;
    types: check;
  }
  
  /* Old output */
  @​view-transition { navigation: auto; types: check; }
  
  /* New output */
  @​view-transition {
    navigation: auto;
    types: check;
  }

  The new view transition feature provides a mechanism for creating animated transitions between documents in a multi-page app. You can read more about view transition rules here.

  This change was contributed by @​yisibl.

• Trim CSS rules that will never match

  The CSS minifier will now remove rules whose selectors contain :is() and :where() as those selectors will never match. These selectors can currently be automatically generated by esbuild when you give esbuild nonsensical input such as the following:

  /* Original code */
  div:before {
    color: green;
    &.foo {
      color: red;
    }
  }
  
  /* Old output (with --supported:nesting=false --minify) */
  div:before{color:green}:is().foo{color:red}
  
  /* New output (with --supported:nesting=false --minify) */
  div:before{color:green}

  This input is nonsensical because CSS nesting is (unfortunately) not supported inside of pseudo-elements such as :before. Currently esbuild generates a rule containing :is() in this case when you tell esbuild to transform nested CSS into non-nested CSS. I think it's reasonable to do that as it sort of helps explain what's going on (or at least indicates that something is wrong in the output). It shouldn't be present in minified code, however, so this release now strips it out.

alecthomas/kong (github.com/alecthomas/kong)

v1.13.0

Compare Source

golang/go (go)

v1.25.4

sharkdp/hyperfine (hyperfine)

v1.20.0

Features

• Add --reference-name option to give a meaningful name to the reference command, see #​808 (@​niklasdewally)
• The --ignore-failure option now supports a comma-separated list of exit codes to ignore (e.g., --ignore-failure=1,2), see #​836 (@​sharkdp)
• Python scripts: Add --time-unit option to advanced_statistics.py (@​sharkdp)
• Python scripts: Add new plot_benchmarks.py script for plotting collections of benchmarks, see #​806 (@​marxin)

Bugfixes

• Fix bug where naming individual commands with parameter scan was not working correctly, see #​794 (@​teofr)

Other

• Restrict cat tests to Unix environments, see #​776 and #​777 (@​ritvikos)

caarlos0/svu (svu)

v3.3.0

Changelog

New Features

• 0d2aa97: feat: add --json flag (#​261) (@​Nadim147c)
• b359291: feat: beautiful --help with fang (@​caarlos0)

Bug fixes

• 28f88fc: fix: gitignore (@​caarlos0)
• 3bf9b66: fix: lint issues (@​caarlos0)

Other work

• c669d8f: build: go 1.25 (@​caarlos0)
• 0dfc805: ci(deps): bump anchore/scan-action in the actions group (#​266) (@​dependabot[bot])
• 752527b: ci: add golangici-lint config (@​caarlos0)
• 7a5f75e: ci: consolidated security jobs (@​caarlos0)
• 7ae0db3: ci: dependabot update (@​caarlos0)
• d9cfe53: ci: update goreleaser (@​caarlos0)
• 97e3dcf: ci: update goreleaser (@​caarlos0)
• 04a8379: ci: update goreleaser config (@​caarlos0)

Full Changelog: caarlos0/svu@v3.2.4...v3.3.0

---

Released with GoReleaser Pro!

astral-sh/uv (uv)

v0.9.10

Compare Source

Released on 2025-11-17.

Enhancements

• Add support for SSL_CERT_DIR (#​16473)
• Enforce UTF‑8-encoded license files during uv build (#​16699)
• Error when a project.license-files glob matches nothing (#​16697)
• pip install --target (and sync) install Python if necessary (#​16694)
• Account for python_downloads_json_url in pre-release Python version warnings (#​16737)
• Support HTTP/HTTPS URLs in uv python --python-downloads-json-url (#​16542)

Preview features

• Add support for --upgrade in uv python install (#​16676)
• Fix handling of python install --default for pre-release Python versions (#​16706)
• Add uv workspace list to list workspace members (#​16691)

Bug fixes

• Don't check file URLs for ambiguously parsed credentials (#​16759)

Documentation

• Add a "storage" reference document (#​15954)

v0.9.9

Compare Source

Released on 2025-11-12.

Deprecations

• Deprecate use of --project in uv init (#​16674)

Enhancements

• Add iOS support to Python interpreter discovery (#​16686)
• Reject ambiguously parsed URLs (#​16622)
• Allow explicit values in uv version --bump (#​16555)
• Warn on use of managed pre-release Python versions when a stable version is available (#​16619)
• Allow signing trampolines on Windows by using .rcdata to store metadata (#​15068)
• Add --only-emit-workspace and similar variants to uv export (#​16681)

Preview features

• Add uv workspace dir command (#​16678)
• Add uv workspace metadata command (#​16516)

Configuration

• Add UV_NO_DEFAULT_GROUPS environment variable (#​16645)

Bug fixes

• Remove torch-model-archiver and torch-tb-profiler from PyTorch backend (#​16655)
• Fix Pixi environment detection (#​16585)

Documentation

• Fix CMD path in FastAPI Dockerfile (#​16701)

v0.9.8

Compare Source

Released on 2025-11-07.

Enhancements

• Accept multiple packages in uv export (#​16603)
• Accept multiple packages in uv sync (#​16543)
• Add a uv cache size command (#​16032)
• Add prerelease guidance for build-system resolution failures (#​16550)
• Allow Python requests to include +gil to require a GIL-enabled interpreter (#​16537)
• Avoid pluralizing 'retry' for single value (#​16535)
• Enable first-class dependency exclusions (#​16528)
• Fix inclusive constraints on available package versions in resolver errors (#​16629)
• Improve uv init error for invalid directory names (#​16554)
• Show help on uv build -h (#​16632)
• Include the Python variant suffix in "Using Python ..." messages (#​16536)
• Log most recently modified file for cache-keys (#​16338)
• Update Docker builds to use nightly Rust toolchain with musl v1.2.5 (#​16584)

Configuration

• Expose UV_NO_GROUP as an environment variable (#​16529)
• Add UV_NO_SOURCES as an environment variable (#​15883)

Bug fixes

• Allow --check and --locked to be used together in uv lock (#​16538)
• Allow for unnormalized names in the METADATA file (#​16547) (#​16548)
• Fix missing value_type for default-groups in schema (#​16575)
• Respect multi-GPU outputs in nvidia-smi (#​15460)
• Fix DNS lookup errors in Docker containers (#​8450)

Documentation

• Fix typo in uv tool list doc (#​16625)
• Note uv pip list name normalization in docs (#​13210)

Other changes

• Update Rust toolchain to 1.91 and MSRV to 1.89 (#​16531)

v0.9.7

Compare Source

Released on 2025-10-30.

Enhancements

• Add Windows x86-32 emulation support to interpreter architecture checks (#​13475)
• Improve readability of progress bars (#​16509)
• Add GitHub attestations for uv release artifacts (#​11357)

Bug fixes

• Drop terminal coloring from uv auth token output (#​16504)
• Don't use UV_LOCKED to enable --check flag (#​16521)

v0.9.6

Compare Source

Released on 2025-10-29.

This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details.

Security

• Address ZIP parsing differentials (GHSA-pqhf-p39g-3x64)

Python

• Upgrade GraalPy to 25.0.1 (#​16401)

Enhancements

• Add --clear to uv build to remove old build artifacts (#​16371)
• Add --no-create-gitignore to uv build (#​16369)
• Do not error when a virtual environment directory cannot be removed due to a busy error (#​16394)
• Improve hint on pip install --system when externally managed (#​16392)
• Running uv lock --check with outdated lockfile will print that --check was passed, instead of --locked (#​16322)
• Update uv init template for Maturin (#​16449)
• Improve ordering of Python sources in logs (#​16463)
• Restore DockerHub release images and annotations (#​16441)

Bug fixes

• Check for matching Python implementation during uv python upgrade (#​16420)
• Deterministically order --find-links distributions (#​16446)
• Don't panic in uv export --frozen when the lockfile is outdated (#​16407)
• Fix root of uv tree when --package is used with circular dependencies (#​15908)
• Show package list with pip freeze --quiet (#​16491)
• Limit uv auth login pyx.dev retries to 60s (#​16498)
• Add an empty group with uv add --group ... -r ... (#​16490)

Documentation

• Update docs for maturin build backend init template (#​16469)
• Update docs to reflect previous changes to signal forwarding semantics (#​16430)
• Add instructions for installing via MacPorts (#​16039)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.