Skip to content

Centralised environment storage#18214

Merged
EliteTK merged 6 commits into
mainfrom
tk/centralised-environments
Jun 25, 2026
Merged

Centralised environment storage#18214
EliteTK merged 6 commits into
mainfrom
tk/centralised-environments

Conversation

@EliteTK

@EliteTK EliteTK commented Feb 27, 2026

Copy link
Copy Markdown
Member

Closes #1495. Partially addresses #7642.

Summary

Adds centralized virtual environment storage behind the centralized-project-envs preview feature.

When enabled, default project virtual environments (normally stored in .venv) are stored in the environments-v2 cache bucket instead of locally in the project directory. A .venv symlink/junction is maintained as a compatibility pointer for editor/IDE/tool discovery and activation.

There is no support for uv venv or a .venv path file fallback in this version. These are deferred for follow-up work to keep this PR easier to review. When --no-cache is enabled, uv warns and uses the ordinary local .venv behavior for that invocation.

The feature is intended to improve performance when switching environments and when working on a project directory which is on a different filesystem to the cache. Keeping separate cached environments for each interpreter allows reuse and fast switching. Moving the environment into the cache guarantees environments will be on the same filesystem as package files which should almost guarantee hardlinks can be used.

There are no current plans to support standalone environments not tied to a specific project.

Note: Most of the added lines in this PR are tests.

Design

Activation Criteria

When the feature is enabled, a centralized environment is used only if UV_PROJECT_ENVIRONMENT is not set and an active environment is not selected with --active. The feature has no effect when --no-cache is enabled, and uv falls back to ordinary local environment behavior.

Environment Reuse

The cache key used to locate the centralized environment is derived from the workspace path and interpreter identity. Upgradeable uv-managed Python installations use a minor-version identity so their environments can be reused after a transparent patch upgrade. For other environments, the identity is the interpreter key (which contains the implementation, exact version, operating system, architecture, libc, and variant).

The result is a partially human-readable cache key in the form: <name>-<implementation><python-version>-<hash>.

The implementation portion uses abbreviations such as cp for CPython, pp for PyPy, and gp for GraalPy, and currently pyodide for Pyodide.

If the project name is not available, the directory name is used; if neither is available, the name component is omitted (resulting in <implementation><python-version>-<hash>). The project or directory name component is slugified and limited to 100 characters to avoid hitting filesystem path-component length limits.

The Python version component normally includes the major, minor, and patch versions, along with any pre-release identifier. For upgradeable uv-managed Python installations, the patch version is omitted.

Examples:

  • my-project-cp3.12.4-0123456798abcdef
  • my-project-cp3.12-0123456789abcdef for an upgradeable managed Python
  • cp3.14.0b2-fedcba8976543210

Interpreter Discovery

The Python interpreter must be known to calculate the cache key. It can be discovered based on the current Python request but this is a comparatively slow process and would be a big performance hit on consecutive uv run invocations.

The compatibility .venv is (currently) inspected as a potential environment. This environment's interpreter is then used to calculate the correct cache key. This two-step lookup avoids a broken situation where a user-provided link points outside of the cache, or at a cache entry for the wrong project.

The .venv Link

To aid in ensuring compatibility with existing third-party tools (and ty), an attempt is made to create a symlink or junction from .venv to the centralized environment location. This can fail in some system configurations. Failure is non-fatal because uv can continue using the centralized environment directly. This leads to user-facing warnings when encountered by uv sync, uv add, uv remove, uv version, uv check, and uv workspace metadata --sync. To avoid warning on every invocation, uv run logs publication failures with warn! instead.

A later PR will make symlink/junction creation failure fall back to a plain file containing the environment path. This will preserve uv's interpreter discovery fast path for these cases. If/when support for such files lands in third-party projects, they will also be able to use this for environment discovery.

A real local virtual environment at .venv is removed without prompting. An existing symlink or junction is replaced without following it. An unrelated non-empty directory is not deleted; link creation fails with a warning instead. On Windows, empty directories may be replaced to clean up copied junction remnants.

During non-dry-run project operations, the link is eagerly updated whenever a centralized environment is created or reused. A later PR may limit this replacement to cases where it's actually necessary.

Interoperability / Safety

In order to allow uv to function seamlessly after the feature is deactivated on a project, changes have been made to the baseline behaviour of uv: if a symlink or junction is found to point into the cache and uv would normally clear it, the symlink/junction is deleted, not the target. Previously, uv would follow this symlink and re-create the target in place. If the link points at a compatible environment, it will continue to be used as normal.

A non-empty .venv directory that does not appear to be a virtual environment is left untouched.

Cache Lifecycle

Both uv cache clean and uv cache prune will delete all centralized environments unconditionally. This leaves .venv links dangling intentionally. This is recoverable and will lead to re-creation without warnings or errors.

Test Plan

A combination of existing test coverage and a bunch of new tests.

A separate test suite was used to gain more confidence in thie PR. This test suite was used to inform the selection of tests added in this PR. An attempt was made not to duplicate coverage within the added tests.

VS Code

An extensive suite of automated VS Code tests was created and ran on MacOS and Windows (Linux coming eventually although static analysis showed no reason for any deviation and past experience confirms this). The following is a representative snapshot of the current state:

  • VS Code finds centralized environments correctly using the symlink/junction.
  • Normal uv add and uv remove workflows work with Pylance and ty.
  • Pylance can miss package changes made directly to a centralized environment (uv pip); ty handles them correctly.
  • Replacing an environment can leave both tools stale, but this already happens with regular .venv directories.
  • Overall, centralized environments work for normal use, with a small number of existing or fixable editor issues.

Outstanding issues/questions

Should the venv be keyed further on choice of extras/groups, the project inside a workspace? It would increase the number of environments, but also allow environment reuse without package selection changes in more cases.

When upgrading from a local environment, we make no attempt to preserve the chosen python interpreter. Mainly because we don't have an easy route to find its provenance so we can re-use it after deletion. We could use the version of the interpreter as a lookup hint, though. Should we?

@EliteTK EliteTK force-pushed the tk/centralised-environments branch from a13b166 to 13f7458 Compare February 27, 2026 14:44
@EliteTK EliteTK force-pushed the tk/centralised-environments branch 2 times, most recently from 950dfc3 to e7755f1 Compare March 10, 2026 03:43
@EliteTK EliteTK added enhancement New feature or improvement to existing functionality preview Experimental behavior labels Mar 10, 2026
@EliteTK EliteTK force-pushed the tk/centralised-environments branch from e7755f1 to 6b7773e Compare March 10, 2026 04:12
@EliteTK EliteTK marked this pull request as ready for review March 10, 2026 04:12
@EliteTK EliteTK requested review from konstin and zanieb and removed request for konstin March 10, 2026 04:12
@EliteTK EliteTK force-pushed the tk/centralised-environments branch 3 times, most recently from f695a5c to 555ff26 Compare March 10, 2026 19:37
@konstin

konstin commented Mar 11, 2026

Copy link
Copy Markdown
Member

Small thing that doesn't fit inline:

$ uv --preview venv
Using CPython 3.14.3
Creating virtual environment in centralised location
? A virtual environment already exists at `/home/konsti/.cache/uv/environments-v2/debug-41d6a3fbafb1005d`. Do you want to replace it? [y/n] › yes

hint: Use the `--clear` flag or set `UV_VENV_CLEAR=1` to skip this prompt

Comment thread crates/uv-workspace/src/workspace.rs Outdated
Comment thread crates/uv/src/commands/project/mod.rs Outdated
Comment thread crates/uv/src/commands/project/mod.rs Outdated
Comment thread crates/uv-python/src/environment.rs Outdated
Comment thread crates/uv/src/commands/venv.rs Outdated
Comment thread crates/uv/tests/it/venv.rs Outdated
@EliteTK EliteTK force-pushed the tk/centralised-environments branch 2 times, most recently from e09b749 to c9a4bbe Compare March 12, 2026 00:01
@EliteTK

EliteTK commented Mar 12, 2026

Copy link
Copy Markdown
Member Author

Noticed that those link/env file creation warnings don't print the error chain. But I went down a rabbit hole trying to come up with some neater way of doing that and haven't managed to finish it today.

@EliteTK EliteTK force-pushed the tk/centralised-environments branch from c9a4bbe to f333eb5 Compare March 12, 2026 00:30
Comment thread crates/uv-fs/src/lib.rs Outdated
Comment thread crates/uv-preview/src/lib.rs Outdated
Comment thread crates/uv-python/src/environment.rs Outdated
Comment thread crates/uv-python/src/environment.rs Outdated
Comment thread crates/uv-python/src/environment.rs Outdated
Comment thread crates/uv-python/src/environment.rs Outdated
Comment thread crates/uv-python/src/environment.rs Outdated
Comment thread crates/uv-python/src/environment.rs Outdated
Comment thread crates/uv-python/src/environment.rs Outdated
Comment thread crates/uv-virtualenv/src/lib.rs Outdated
Comment thread docs/reference/storage.md Outdated
Comment thread docs/reference/storage.md Outdated
@EliteTK EliteTK force-pushed the tk/centralised-environments branch 2 times, most recently from b3d84e3 to 8a96a8b Compare June 18, 2026 16:13
@EliteTK EliteTK requested a review from zanieb June 18, 2026 16:16
@EliteTK

EliteTK commented Jun 18, 2026

Copy link
Copy Markdown
Member Author

See: https://github.com/astral-sh/uv/compare/tk/centralised-envs-reviewed..tk/centralised-environments for a clear view of what changed since the last review.

@EliteTK EliteTK force-pushed the tk/centralised-environments branch from 710e5cf to 1777b28 Compare June 25, 2026 19:35
@EliteTK EliteTK enabled auto-merge (squash) June 25, 2026 19:39
@EliteTK EliteTK merged commit f6ec347 into main Jun 25, 2026
54 checks passed
@EliteTK EliteTK deleted the tk/centralised-environments branch June 25, 2026 19:43
@rsyring

rsyring commented Jun 25, 2026

Copy link
Copy Markdown

@zanieb and @EliteTK thanks for getting this across the finish line!

zanieb pushed a commit that referenced this pull request Jun 26, 2026
## Summary

With the centralised project environments preview feature enabled, `uv
venv` invoked with no path and `UV_PROJECT_ENVIRONMENT` unset will now
use the environment cache bucket as the backing store for the
environment. The key selection logic is the same as for centralised
project environments.

There's are some cases of note:

* With the feature enabled:
* Unless you explicitly pass `--no-clear`, existing environments will be
clobbered without prompting
* If you pass `--allow-existing` this will avoid clearing the
_centralised_ environment, before re-using it, but will still clobber
local environments when creating the link. This might sound weird, but
the alternatives are:
* Disable the feature if `.venv` exists, but if `.venv` doesn't exist,
instead operate on any "existing" environment in the cache (this gets
more confusing the more you think about it)
* Don't touch `.venv` if it exists, but otherwise operate on any
"existing" environment in the cache
* Complain if `.venv` exists but is not referencing the cache (somewhat
sane sounding... except also somewhat heavy and still weird)
* With the feature disabled:
* Whenever we would normally clear an environment, if it's a link to the
cache, we just delete the link (we would normally clear the target of
the link). I consider this not to be breaking because a `.venv` that is
a link into the cache should never have been a thing prior to the
feature.
  * The user is not prompted to remove links to the cache.

See also #18214.

## Test Plan

A range of new tests covering a variety of normal and corner cases.
blake-hamm added a commit to blake-hamm/bhamm-lab that referenced this pull request Jun 27, 2026
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ghcr.io/astral-sh/uv](https://github.com/astral-sh/uv) | stage | patch | `0.11.24` → `0.11.25` |

---

### Release Notes

<details>
<summary>astral-sh/uv (ghcr.io/astral-sh/uv)</summary>

### [`v0.11.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01125)

[Compare Source](astral-sh/uv@0.11.24...0.11.25)

Released on 2026-06-26.

##### Security

This release updates our tar library, [astral-tokio-tar](https://github.com/astral-sh/tokio-tar), to v0.6.3, which includes over 20 changes that harden our tar handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/tokio-tar@v0.6.2...v0.6.3) for a full list of changes.

##### Enhancements

- Add a full "lockfile" to tool receipts ([#&#8203;18937](astral-sh/uv#18937))
- Allow scoped overrides to add dependencies ([#&#8203;19974](astral-sh/uv#19974))
- Avoid writing redundant lockfile markers with `tool.uv.environments` ([#&#8203;19933](astral-sh/uv#19933))
- Factor supported environments out of lockfile markers ([#&#8203;19969](astral-sh/uv#19969))
- Recommend our own build backend in the build frontend ([#&#8203;19994](astral-sh/uv#19994))
- Reject wheels with multiple .dist-info directories ([#&#8203;19986](astral-sh/uv#19986))
- Simplify dependency markers under parent reachability ([#&#8203;19971](astral-sh/uv#19971))
- Support scoped dependency exclusions ([#&#8203;19977](astral-sh/uv#19977))
- Support scoped dependency overrides ([#&#8203;19970](astral-sh/uv#19970))
- Explain why files are skipped in registry index parsing ([#&#8203;19983](astral-sh/uv#19983))

##### Preview features

- Add `uv workspace list --scripts` ([#&#8203;20009](astral-sh/uv#20009))
- Support centralised environments in `uv venv` ([#&#8203;19912](astral-sh/uv#19912))
- Use locked ty versions in `uv check` ([#&#8203;19884](astral-sh/uv#19884))
- Add centralized storage of project environments ([#&#8203;18214](astral-sh/uv#18214))
- Verify lockfile hashes before reusing a cached ty in `uv check` ([#&#8203;19995](astral-sh/uv#19995))
- Use locked dependency selection for `uv check --script` ([#&#8203;19989](astral-sh/uv#19989))

##### Bug fixes

- Preserve standalone markers in workspace metadata ([#&#8203;20011](astral-sh/uv#20011))
- Reject `uv build` if the cache dir is enclosed ([#&#8203;19991](astral-sh/uv#19991))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: Renovate Bot <renovate@bhamm-lab.com>
Reviewed-on: https://codeberg.org/blake-hamm/bhamm-lab/pulls/230
hbjydev pushed a commit to hbjydev/containers that referenced this pull request Jun 29, 2026
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ghcr.io/astral-sh/uv](https://github.com/astral-sh/uv) | final | patch | `0.11.24` → `0.11.25` |

---

### Release Notes

<details>
<summary>astral-sh/uv (ghcr.io/astral-sh/uv)</summary>

### [`v0.11.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01125)

[Compare Source](astral-sh/uv@0.11.24...0.11.25)

Released on 2026-06-26.

##### Security

This release updates our tar library, [astral-tokio-tar](https://github.com/astral-sh/tokio-tar), to v0.6.3, which includes over 20 changes that harden our tar handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/tokio-tar@v0.6.2...v0.6.3) for a full list of changes.

##### Enhancements

- Add a full "lockfile" to tool receipts ([#&#8203;18937](astral-sh/uv#18937))
- Allow scoped overrides to add dependencies ([#&#8203;19974](astral-sh/uv#19974))
- Avoid writing redundant lockfile markers with `tool.uv.environments` ([#&#8203;19933](astral-sh/uv#19933))
- Factor supported environments out of lockfile markers ([#&#8203;19969](astral-sh/uv#19969))
- Recommend our own build backend in the build frontend ([#&#8203;19994](astral-sh/uv#19994))
- Reject wheels with multiple .dist-info directories ([#&#8203;19986](astral-sh/uv#19986))
- Simplify dependency markers under parent reachability ([#&#8203;19971](astral-sh/uv#19971))
- Support scoped dependency exclusions ([#&#8203;19977](astral-sh/uv#19977))
- Support scoped dependency overrides ([#&#8203;19970](astral-sh/uv#19970))
- Explain why files are skipped in registry index parsing ([#&#8203;19983](astral-sh/uv#19983))

##### Preview features

- Add `uv workspace list --scripts` ([#&#8203;20009](astral-sh/uv#20009))
- Support centralised environments in `uv venv` ([#&#8203;19912](astral-sh/uv#19912))
- Use locked ty versions in `uv check` ([#&#8203;19884](astral-sh/uv#19884))
- Add centralized storage of project environments ([#&#8203;18214](astral-sh/uv#18214))
- Verify lockfile hashes before reusing a cached ty in `uv check` ([#&#8203;19995](astral-sh/uv#19995))
- Use locked dependency selection for `uv check --script` ([#&#8203;19989](astral-sh/uv#19989))

##### Bug fixes

- Preserve standalone markers in workspace metadata ([#&#8203;20011](astral-sh/uv#20011))
- Reject `uv build` if the cache dir is enclosed ([#&#8203;19991](astral-sh/uv#19991))

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->

Reviewed-on: https://forgejo.hayden.moe/hayden/containers/pulls/13
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Jul 9, 2026
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [uv](https://github.com/astral-sh/uv) | patch | `0.11.21` → `0.11.28` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (uv)</summary>

### [`v0.11.28`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01128)

[Compare Source](astral-sh/uv@0.11.27...0.11.28)

Released on 2026-07-07.

##### Security

This release updates our ZIP library, [astral-async-zip](https://github.com/astral-sh/rs-async-zip), to v0.0.20, which includes 15 changes that harden our ZIP handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject ZIP archives with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/rs-async-zip@v0.0.18...v0.0.20) for a full list of changes.

##### Python

- Upgrade GraalPy to 25.1.3 ([#&#8203;20069](astral-sh/uv#20069))

##### Enhancements

- Improve trace logs for unexpected error chains ([#&#8203;20220](astral-sh/uv#20220))
- Move lockfile update guidance to a hint ([#&#8203;20219](astral-sh/uv#20219))
- Preserve indentation for multiline error causes ([#&#8203;20156](astral-sh/uv#20156))
- Render user errors with their cause chains ([#&#8203;20217](astral-sh/uv#20217))
- Route final command errors through the printer to respect `-q` and `-qq` ([#&#8203;20163](astral-sh/uv#20163))
- Use standard rendering for `uv build` errors ([#&#8203;20159](astral-sh/uv#20159))
- Use standard rendering for tool requirement errors ([#&#8203;20160](astral-sh/uv#20160))

##### Performance

- Only compile bytecode for installed distributions in `uv pip install` ([#&#8203;19914](astral-sh/uv#19914))
- Avoid allocating URL-safe Git revisions ([#&#8203;20194](astral-sh/uv#20194))
- Avoid allocating canonical Python request strings ([#&#8203;20193](astral-sh/uv#20193))
- Avoid allocating custom Astral mirror URLs ([#&#8203;20204](astral-sh/uv#20204))
- Avoid allocating expanded compatibility tags ([#&#8203;20190](astral-sh/uv#20190))
- Avoid allocating shell strings that need no escaping ([#&#8203;20196](astral-sh/uv#20196))
- Avoid allocating static ABI descriptions ([#&#8203;20201](astral-sh/uv#20201))
- Avoid allocating static Windows executable names ([#&#8203;20200](astral-sh/uv#20200))
- Avoid allocating static dependency table names ([#&#8203;20199](astral-sh/uv#20199))
- Avoid allocating static platform triple components ([#&#8203;20195](astral-sh/uv#20195))
- Avoid allocating static resolver report labels ([#&#8203;20198](astral-sh/uv#20198))
- Avoid allocating static unavailable-version messages ([#&#8203;20197](astral-sh/uv#20197))
- Avoid allocating unchanged Python download architectures ([#&#8203;20202](astral-sh/uv#20202))
- Avoid allocating unchanged paths during case normalization ([#&#8203;20203](astral-sh/uv#20203))
- Avoid allocations when expanding group conflicts ([#&#8203;20211](astral-sh/uv#20211))
- Avoid allocations when formatting requirements ([#&#8203;20206](astral-sh/uv#20206))
- Avoid cloning credential lookup services ([#&#8203;20210](astral-sh/uv#20210))
- Avoid cloning dry-run distributions ([#&#8203;20209](astral-sh/uv#20209))
- Avoid cloning owned dependency metadata ([#&#8203;20212](astral-sh/uv#20212))
- Avoid redundant direct URL clones ([#&#8203;20207](astral-sh/uv#20207))
- Create metadata version errors lazily ([#&#8203;20205](astral-sh/uv#20205))
- Optimize expanded tag compatibility checks ([#&#8203;20171](astral-sh/uv#20171))
- Optimize parsing of single-digit three-part versions ([#&#8203;20118](astral-sh/uv#20118))

##### Bug fixes

- Avoid overflow when computing HTTP cache age ([#&#8203;20178](astral-sh/uv#20178))
- Respect `--upgrade` when `upgrade-package` is configured ([#&#8203;19955](astral-sh/uv#19955))
- Support `uv tree` in dependency-group-only projects ([#&#8203;20167](astral-sh/uv#20167))
- Treat cache entries as stale at exact expiration ([#&#8203;20183](astral-sh/uv#20183))

### [`v0.11.27`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01127)

[Compare Source](astral-sh/uv@0.11.26...0.11.27)

Released on 2026-07-06.

##### Enhancements

- Continue on ignored errors when fetching wheel metadata ([#&#8203;12255](astral-sh/uv#12255))
- Use caching for `--python-downloads-json-url` ([#&#8203;16749](astral-sh/uv#16749))

##### Preview features

- Discover extensionless shebang scripts in `uv workspace list --scripts` ([#&#8203;20099](astral-sh/uv#20099))

##### Performance

- Avoid full site-packages scans for direct reinstalls ([#&#8203;20119](astral-sh/uv#20119))
- Avoid redundant pyproject parsing ([#&#8203;20076](astral-sh/uv#20076))
- Cache default dependency markers when reading locks ([#&#8203;20125](astral-sh/uv#20125))
- Enable SIMD-accelerated TOML parsing ([#&#8203;20079](astral-sh/uv#20079))
- Intern `requires-python` specifiers in Simple API parsing ([#&#8203;20104](astral-sh/uv#20104))
- Read cache entries into exact-sized buffers ([#&#8203;20120](astral-sh/uv#20120))
- Reduce VersionSpecifiers parsing allocations ([#&#8203;20105](astral-sh/uv#20105))
- Reduce site-packages scan allocation overhead ([#&#8203;20087](astral-sh/uv#20087))
- Reuse package names when parsing wheel filenames ([#&#8203;20110](astral-sh/uv#20110))
- Sort Simple API files after grouping ([#&#8203;20112](astral-sh/uv#20112))

##### Bug fixes

- Always emit `packages` table for pylock.toml ([#&#8203;20145](astral-sh/uv#20145))
- Avoid blank line for empty `uv pip tree` ([#&#8203;20062](astral-sh/uv#20062))
- Encode hashes in file paths ([#&#8203;19807](astral-sh/uv#19807))
- Error on a registry uv.lock package without a version instead of panicking ([#&#8203;19855](astral-sh/uv#19855))
- Preserve conditional extra markers in exports ([#&#8203;20148](astral-sh/uv#20148))
- Skip the ambiguous authority check for file transport VCS URLs ([#&#8203;20086](astral-sh/uv#20086))
- Sync index format when `uv add --index` updates an existing index URL ([#&#8203;19818](astral-sh/uv#19818))

##### Other changes

- Re-add `pub` APIs used in Pixi ([#&#8203;20074](astral-sh/uv#20074))
- Update Rust toolchain to 1.96.1 ([#&#8203;20103](astral-sh/uv#20103))

### [`v0.11.26`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01126)

[Compare Source](astral-sh/uv@0.11.25...0.11.26)

Released on 2026-06-30.

##### Performance

- Adapt uv to IDs-only PubGrub dependencies ([#&#8203;20048](astral-sh/uv#20048))
- Avoid allocations in `ForkMap::contains` ([#&#8203;20023](astral-sh/uv#20023))
- Reuse resolver work across PubGrub iterations ([#&#8203;20020](astral-sh/uv#20020))
- Speed up candidate selection for disjoint ranges ([#&#8203;20026](astral-sh/uv#20026))

##### Bug fixes

- Warn when the build cache is inside the source directory ([#&#8203;20056](astral-sh/uv#20056))

### [`v0.11.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01125)

[Compare Source](astral-sh/uv@0.11.24...0.11.25)

Released on 2026-06-26.

##### Security

This release updates our tar library, [astral-tokio-tar](https://github.com/astral-sh/tokio-tar), to v0.6.3, which includes over 20 changes that harden our tar handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/tokio-tar@v0.6.2...v0.6.3) for a full list of changes.

##### Enhancements

- Add a full "lockfile" to tool receipts ([#&#8203;18937](astral-sh/uv#18937))
- Allow scoped overrides to add dependencies ([#&#8203;19974](astral-sh/uv#19974))
- Avoid writing redundant lockfile markers with `tool.uv.environments` ([#&#8203;19933](astral-sh/uv#19933))
- Factor supported environments out of lockfile markers ([#&#8203;19969](astral-sh/uv#19969))
- Recommend our own build backend in the build frontend ([#&#8203;19994](astral-sh/uv#19994))
- Reject wheels with multiple .dist-info directories ([#&#8203;19986](astral-sh/uv#19986))
- Simplify dependency markers under parent reachability ([#&#8203;19971](astral-sh/uv#19971))
- Support scoped dependency exclusions ([#&#8203;19977](astral-sh/uv#19977))
- Support scoped dependency overrides ([#&#8203;19970](astral-sh/uv#19970))
- Explain why files are skipped in registry index parsing ([#&#8203;19983](astral-sh/uv#19983))

##### Preview features

- Add `uv workspace list --scripts` ([#&#8203;20009](astral-sh/uv#20009))
- Support centralised environments in `uv venv` ([#&#8203;19912](astral-sh/uv#19912))
- Use locked ty versions in `uv check` ([#&#8203;19884](astral-sh/uv#19884))
- Add centralized storage of project environments ([#&#8203;18214](astral-sh/uv#18214))
- Verify lockfile hashes before reusing a cached ty in `uv check` ([#&#8203;19995](astral-sh/uv#19995))
- Use locked dependency selection for `uv check --script` ([#&#8203;19989](astral-sh/uv#19989))

##### Bug fixes

- Preserve standalone markers in workspace metadata ([#&#8203;20011](astral-sh/uv#20011))
- Reject `uv build` if the cache dir is enclosed ([#&#8203;19991](astral-sh/uv#19991))

### [`v0.11.24`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01124)

[Compare Source](astral-sh/uv@0.11.23...0.11.24)

Released on 2026-06-23.

##### Python

- Add CPython 3.15.0b3 ([#&#8203;19964](astral-sh/uv#19964))

##### Preview features

- Make project environments relocatable under preview ([#&#8203;19965](astral-sh/uv#19965))

##### Performance

- Use a compact index for lazy version maps ([#&#8203;19959](astral-sh/uv#19959))

##### Bug fixes

- Allow disabling `exclude-newer` ([#&#8203;19934](astral-sh/uv#19934))
- Avoid archive id collisions ([#&#8203;19949](astral-sh/uv#19949))
- Reapply "Fix transparent Python upgrades in project environments" ([#&#8203;19928](astral-sh/uv#19928))
- Clean up partial tool entrypoint installs ([#&#8203;19966](astral-sh/uv#19966))
- Fix relocatable `activate.fish` and broaden Fish version support ([#&#8203;19856](astral-sh/uv#19856))

### [`v0.11.23`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01123)

[Compare Source](astral-sh/uv@0.11.22...0.11.23)

Released on 2026-06-19.

##### Bug fixes

- Revert "Fix transparent Python upgrades in project environments" to mitigate unintended breakage in `pre-commit-uv` ([#&#8203;19925](astral-sh/uv#19925))
- Restore old behavior where workspace members "hidden" by an intermediate `pyproject.toml` would be treated as standalone projects ([#&#8203;19926](astral-sh/uv#19926))

### [`v0.11.22`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01122)

[Compare Source](astral-sh/uv@0.11.21...0.11.22)

Released on 2026-06-18.

##### Enhancements

- Publish wheels before sdists in `uv publish` ([#&#8203;19831](astral-sh/uv#19831))
- Add `TY` and `RUFF` env vars for providing paths for binaries used by `uv format` and `uv check` ([#&#8203;19821](astral-sh/uv#19821))

##### Preview features

- Allow configuring preview features in `uv.toml` and `pyproject.toml` ([#&#8203;18437](astral-sh/uv#18437))
- Update the lockfile during `uv check --no-sync` ([#&#8203;19909](astral-sh/uv#19909))
- Add `--script` to `uv check` and `uv metadata` ([#&#8203;19860](astral-sh/uv#19860))
- Report workspace-exclusive dependency groups in `workspace metadata` ([#&#8203;19862](astral-sh/uv#19862))
- Support SARIF as a `uv audit` output ([#&#8203;19872](astral-sh/uv#19872))

##### Performance

- Use a more deadlock-resistant concurrent hashmap in the resolver ([#&#8203;19532](astral-sh/uv#19532))

##### Bug fixes

- Update string marker ordering semantics to match [upstream clarified rules](pypa/packaging.python.org#1988) ([#&#8203;19808](astral-sh/uv#19808))
- Reject extras that have the same normalized name ([#&#8203;19871](astral-sh/uv#19871))
- Reject dependency group `include-group` entries that have additional fields ([#&#8203;19866](astral-sh/uv#19866))
- Reject invalid UTF-8 URL credentials ([#&#8203;19814](astral-sh/uv#19814))
- Validate that PEP 517 `backend-path`s exist when building sdists ([#&#8203;19834](astral-sh/uv#19834))
- Validate that `pylock.toml` files do not have an unsupported a `lock-version` ([#&#8203;19869](astral-sh/uv#19869))
- Validate that the environment satisfies the `packages.requires-python` of a `pylock.toml` ([#&#8203;19868](astral-sh/uv#19868))
- Allow `uv` to be recursively invoked by PEP 517 build hooks ([#&#8203;19879](astral-sh/uv#19879))
- Allow empty `credentials.toml` files ([#&#8203;19815](astral-sh/uv#19815))
- Fix transparent Python upgrades in project environments ([#&#8203;19890](astral-sh/uv#19890))
- Handle non-file editable URLs in `uv pip list` ([#&#8203;19867](astral-sh/uv#19867))
- Fix incorrect output from `uv tree --invert` ([#&#8203;19910](astral-sh/uv#19910))
- Fix environment locking of `uv venv` in a project ([#&#8203;19837](astral-sh/uv#19837))
- Fix handling of workspace-exclusive dependency groups in `uv tree` ([#&#8203;19905](astral-sh/uv#19905))

##### Documentation

- Archive the 0.10.x changelog ([#&#8203;19813](astral-sh/uv#19813))

##### Other changes

- Mark more tests as requiring network for vendors that need to run tests offline ([#&#8203;19819](astral-sh/uv#19819))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjIzMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6cGF0Y2giXX0=-->
hbjydev pushed a commit to hbjydev/phoebe that referenced this pull request Jul 10, 2026
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [uv](https://github.com/astral-sh/uv) | patch | `0.11.24` → `0.11.28` |

---

### Release Notes

<details>
<summary>astral-sh/uv (uv)</summary>

### [`v0.11.28`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01128)

[Compare Source](astral-sh/uv@0.11.27...0.11.28)

Released on 2026-07-07.

##### Security

This release updates our ZIP library, [astral-async-zip](https://github.com/astral-sh/rs-async-zip), to v0.0.20, which includes 15 changes that harden our ZIP handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject ZIP archives with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/rs-async-zip@v0.0.18...v0.0.20) for a full list of changes.

##### Python

- Upgrade GraalPy to 25.1.3 ([#&#8203;20069](astral-sh/uv#20069))

##### Enhancements

- Improve trace logs for unexpected error chains ([#&#8203;20220](astral-sh/uv#20220))
- Move lockfile update guidance to a hint ([#&#8203;20219](astral-sh/uv#20219))
- Preserve indentation for multiline error causes ([#&#8203;20156](astral-sh/uv#20156))
- Render user errors with their cause chains ([#&#8203;20217](astral-sh/uv#20217))
- Route final command errors through the printer to respect `-q` and `-qq` ([#&#8203;20163](astral-sh/uv#20163))
- Use standard rendering for `uv build` errors ([#&#8203;20159](astral-sh/uv#20159))
- Use standard rendering for tool requirement errors ([#&#8203;20160](astral-sh/uv#20160))

##### Performance

- Only compile bytecode for installed distributions in `uv pip install` ([#&#8203;19914](astral-sh/uv#19914))
- Avoid allocating URL-safe Git revisions ([#&#8203;20194](astral-sh/uv#20194))
- Avoid allocating canonical Python request strings ([#&#8203;20193](astral-sh/uv#20193))
- Avoid allocating custom Astral mirror URLs ([#&#8203;20204](astral-sh/uv#20204))
- Avoid allocating expanded compatibility tags ([#&#8203;20190](astral-sh/uv#20190))
- Avoid allocating shell strings that need no escaping ([#&#8203;20196](astral-sh/uv#20196))
- Avoid allocating static ABI descriptions ([#&#8203;20201](astral-sh/uv#20201))
- Avoid allocating static Windows executable names ([#&#8203;20200](astral-sh/uv#20200))
- Avoid allocating static dependency table names ([#&#8203;20199](astral-sh/uv#20199))
- Avoid allocating static platform triple components ([#&#8203;20195](astral-sh/uv#20195))
- Avoid allocating static resolver report labels ([#&#8203;20198](astral-sh/uv#20198))
- Avoid allocating static unavailable-version messages ([#&#8203;20197](astral-sh/uv#20197))
- Avoid allocating unchanged Python download architectures ([#&#8203;20202](astral-sh/uv#20202))
- Avoid allocating unchanged paths during case normalization ([#&#8203;20203](astral-sh/uv#20203))
- Avoid allocations when expanding group conflicts ([#&#8203;20211](astral-sh/uv#20211))
- Avoid allocations when formatting requirements ([#&#8203;20206](astral-sh/uv#20206))
- Avoid cloning credential lookup services ([#&#8203;20210](astral-sh/uv#20210))
- Avoid cloning dry-run distributions ([#&#8203;20209](astral-sh/uv#20209))
- Avoid cloning owned dependency metadata ([#&#8203;20212](astral-sh/uv#20212))
- Avoid redundant direct URL clones ([#&#8203;20207](astral-sh/uv#20207))
- Create metadata version errors lazily ([#&#8203;20205](astral-sh/uv#20205))
- Optimize expanded tag compatibility checks ([#&#8203;20171](astral-sh/uv#20171))
- Optimize parsing of single-digit three-part versions ([#&#8203;20118](astral-sh/uv#20118))

##### Bug fixes

- Avoid overflow when computing HTTP cache age ([#&#8203;20178](astral-sh/uv#20178))
- Respect `--upgrade` when `upgrade-package` is configured ([#&#8203;19955](astral-sh/uv#19955))
- Support `uv tree` in dependency-group-only projects ([#&#8203;20167](astral-sh/uv#20167))
- Treat cache entries as stale at exact expiration ([#&#8203;20183](astral-sh/uv#20183))

### [`v0.11.27`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01127)

[Compare Source](astral-sh/uv@0.11.26...0.11.27)

Released on 2026-07-06.

##### Enhancements

- Continue on ignored errors when fetching wheel metadata ([#&#8203;12255](astral-sh/uv#12255))
- Use caching for `--python-downloads-json-url` ([#&#8203;16749](astral-sh/uv#16749))

##### Preview features

- Discover extensionless shebang scripts in `uv workspace list --scripts` ([#&#8203;20099](astral-sh/uv#20099))

##### Performance

- Avoid full site-packages scans for direct reinstalls ([#&#8203;20119](astral-sh/uv#20119))
- Avoid redundant pyproject parsing ([#&#8203;20076](astral-sh/uv#20076))
- Cache default dependency markers when reading locks ([#&#8203;20125](astral-sh/uv#20125))
- Enable SIMD-accelerated TOML parsing ([#&#8203;20079](astral-sh/uv#20079))
- Intern `requires-python` specifiers in Simple API parsing ([#&#8203;20104](astral-sh/uv#20104))
- Read cache entries into exact-sized buffers ([#&#8203;20120](astral-sh/uv#20120))
- Reduce VersionSpecifiers parsing allocations ([#&#8203;20105](astral-sh/uv#20105))
- Reduce site-packages scan allocation overhead ([#&#8203;20087](astral-sh/uv#20087))
- Reuse package names when parsing wheel filenames ([#&#8203;20110](astral-sh/uv#20110))
- Sort Simple API files after grouping ([#&#8203;20112](astral-sh/uv#20112))

##### Bug fixes

- Always emit `packages` table for pylock.toml ([#&#8203;20145](astral-sh/uv#20145))
- Avoid blank line for empty `uv pip tree` ([#&#8203;20062](astral-sh/uv#20062))
- Encode hashes in file paths ([#&#8203;19807](astral-sh/uv#19807))
- Error on a registry uv.lock package without a version instead of panicking ([#&#8203;19855](astral-sh/uv#19855))
- Preserve conditional extra markers in exports ([#&#8203;20148](astral-sh/uv#20148))
- Skip the ambiguous authority check for file transport VCS URLs ([#&#8203;20086](astral-sh/uv#20086))
- Sync index format when `uv add --index` updates an existing index URL ([#&#8203;19818](astral-sh/uv#19818))

##### Other changes

- Re-add `pub` APIs used in Pixi ([#&#8203;20074](astral-sh/uv#20074))
- Update Rust toolchain to 1.96.1 ([#&#8203;20103](astral-sh/uv#20103))

### [`v0.11.26`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01126)

[Compare Source](astral-sh/uv@0.11.25...0.11.26)

Released on 2026-06-30.

##### Performance

- Adapt uv to IDs-only PubGrub dependencies ([#&#8203;20048](astral-sh/uv#20048))
- Avoid allocations in `ForkMap::contains` ([#&#8203;20023](astral-sh/uv#20023))
- Reuse resolver work across PubGrub iterations ([#&#8203;20020](astral-sh/uv#20020))
- Speed up candidate selection for disjoint ranges ([#&#8203;20026](astral-sh/uv#20026))

##### Bug fixes

- Warn when the build cache is inside the source directory ([#&#8203;20056](astral-sh/uv#20056))

### [`v0.11.25`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01125)

[Compare Source](astral-sh/uv@0.11.24...0.11.25)

Released on 2026-06-26.

##### Security

This release updates our tar library, [astral-tokio-tar](https://github.com/astral-sh/tokio-tar), to v0.6.3, which includes over 20 changes that harden our tar handling against [parser differentials](https://www.brainonfire.net/blog/2022/04/11/what-is-parser-mismatch/). uv may reject source distributions with malformed or ambiguous content that were previously accepted.

See the [upstream commits](astral-sh/tokio-tar@v0.6.2...v0.6.3) for a full list of changes.

##### Enhancements

- Add a full "lockfile" to tool receipts ([#&#8203;18937](astral-sh/uv#18937))
- Allow scoped overrides to add dependencies ([#&#8203;19974](astral-sh/uv#19974))
- Avoid writing redundant lockfile markers with `tool.uv.environments` ([#&#8203;19933](astral-sh/uv#19933))
- Factor supported environments out of lockfile markers ([#&#8203;19969](astral-sh/uv#19969))
- Recommend our own build backend in the build frontend ([#&#8203;19994](astral-sh/uv#19994))
- Reject wheels with multiple .dist-info directories ([#&#8203;19986](astral-sh/uv#19986))
- Simplify dependency markers under parent reachability ([#&#8203;19971](astral-sh/uv#19971))
- Support scoped dependency exclusions ([#&#8203;19977](astral-sh/uv#19977))
- Support scoped dependency overrides ([#&#8203;19970](astral-sh/uv#19970))
- Explain why files are skipped in registry index parsing ([#&#8203;19983](astral-sh/uv#19983))

##### Preview features

- Add `uv workspace list --scripts` ([#&#8203;20009](astral-sh/uv#20009))
- Support centralised environments in `uv venv` ([#&#8203;19912](astral-sh/uv#19912))
- Use locked ty versions in `uv check` ([#&#8203;19884](astral-sh/uv#19884))
- Add centralized storage of project environments ([#&#8203;18214](astral-sh/uv#18214))
- Verify lockfile hashes before reusing a cached ty in `uv check` ([#&#8203;19995](astral-sh/uv#19995))
- Use locked dependency selection for `uv check --script` ([#&#8203;19989](astral-sh/uv#19989))

##### Bug fixes

- Preserve standalone markers in workspace metadata ([#&#8203;20011](astral-sh/uv#20011))
- Reject `uv build` if the cache dir is enclosed ([#&#8203;19991](astral-sh/uv#19991))

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItcmVsZWFzZSIsInR5cGUvcGF0Y2giXX0=-->

Reviewed-on: https://forgejo.hayden.moe/hayden/phoebe/pulls/203
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or improvement to existing functionality preview Experimental behavior

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add an option to store virtual environments in a centralized location outside projects