Conversation
9754807 to
d8bc0dd
Compare
woodruffw
commented
Apr 27, 2026
Comment on lines
+423
to
+426
| // NOTE: intentional: we don't currently fail if there are any adverse statuses, | ||
| // only when there are vulnerabilities. We will likely change this once we allow users | ||
| // to ignore adverse statuses and configure policies. | ||
| if has_vulnerabilities { |
Member
Author
There was a problem hiding this comment.
Flagging: I loosened this intentionally, since I don't think we want to suddenly start failing based on adverse statuses here, at least not until we have a config/policy story.
konstin
reviewed
Apr 28, 2026
Comment on lines
+1756
to
+1757
| iniconfig is deprecated: | ||
| Reason: no-longer-maintained |
Member
There was a problem hiding this comment.
What do you think about merging those two into one line? iniconfig is deprecated: no-longer-mained
Member
Author
There was a problem hiding this comment.
Works for me -- the original reason I didn't is because (in principle) the reason can be multiple lines or have interior formatting, although in practice PyPI doesn't allow a reason at the moment so that's moot. Putting it on the same line seems fine to me.
|
|
||
| Adverse statuses: | ||
|
|
||
| iniconfig is archived |
Member
There was a problem hiding this comment.
I feel like I'm missing some visual outline here, maybe some bullet points?
konstin
approved these changes
Apr 28, 2026
Signed-off-by: William Woodruff <william@astral.sh>
Signed-off-by: William Woodruff <william@astral.sh>
Signed-off-by: William Woodruff <william@astral.sh>
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
May 8, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [uv](https://github.com/astral-sh/uv) | patch | `0.11.7` → `0.11.11` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (uv)</summary> ### [`v0.11.11`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01111) [Compare Source](astral-sh/uv@0.11.10...0.11.11) Released on 2026-05-06. ##### Bug fixes - Accept legacy ID format from pre-0.11.9 cache entries ([#​19301](astral-sh/uv#19301)) ### [`v0.11.10`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#01110) [Compare Source](astral-sh/uv@0.11.9...0.11.10) Released on 2026-05-05. ##### Bug fixes - Allow pre-release Python requests with non-zero patch versions ([#​19286](astral-sh/uv#19286)) ### [`v0.11.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0119) [Compare Source](astral-sh/uv@0.11.8...0.11.9) Released on 2026-05-04. This release includes a special release candidate for the next Python 3.14 patch release. Python 3.14 included a new garbage collection implementation, which reduced pause times but caused significant unexpected memory pressure in production environments. In 3.14.5 and 3.15, the previous garbage collection implementation will be restored. We would greatly appreciate if you tested the 3.14.5rc1 version included in this release. The stable version is expected to be released soon and any feedback on potential issues would be helpful to the Python development team. For more context, see the [announcement](https://discuss.python.org/t/reverting-the-incremental-gc-in-python-3-14-and-3-15/107014), [issue](python/cpython#148726), and [pull request](python/cpython#148720). Issues with the new release can be reported in the uv or CPython issue trackers. ##### Python - Upgrade PyPy to v7.3.22 - Add CPython 3.14.5rc1 - On macOS, CPython statically links `libpython` to match Linux ##### Enhancements - Omit compatible release desugaring for pre-release hints ([#​19267](astral-sh/uv#19267)) - Fix file locks on Android ([#​18323](astral-sh/uv#18323)) ##### Preview - `uv audit` add reporting for adverse project statuses ([#​19128](astral-sh/uv#19128)) ##### Bug fixes - Discover versioned Python executables when `requires-python` pins a version ([#​18700](astral-sh/uv#18700)) - Fix URL prefix matching to require path boundaries ([#​19154](astral-sh/uv#19154)) - Fix transitive Git path dependencies in lockfiles ([#​19269](astral-sh/uv#19269)) - Handle incorrect unlock error in `LockedFile::drop` on Wine ([#​19229](astral-sh/uv#19229)) - Prevent uninstalling site-packages for empty `top_level.txt` in `.egg-info` ([#​19114](astral-sh/uv#19114)) - Use symlinks instead of junctions on Wine ([#​19213](astral-sh/uv#19213)) - Fix floating-point environment handling on ARMv7 ([#​19157](astral-sh/uv#19157)) - Redact credentials from remote requirements URL in offline errors ([#​19216](astral-sh/uv#19216)) - Windows tramplolines no longer set `PYTHONHOME` and only set `__PYVENV_LAUNCHER__` for virtual environments ([#​19199](astral-sh/uv#19199)) ##### Documentation - Mark `--native-tls` and `UV_NATIVE_TLS` as deprecated ([#​18705](astral-sh/uv#18705)) - Re-add `pytorch-triton-rocm` to PyTorch ROCm docs ([#​19241](astral-sh/uv#19241)) - Tweak changelog entries for 0.11.8 ([#​19188](astral-sh/uv#19188)) - Add 'Exporting lockfiles' to the Concepts->Projects index ([#​19209](astral-sh/uv#19209)) - Clarify that `uv init` creates git files / folders in the projects guide ([#​19183](astral-sh/uv#19183)) ### [`v0.11.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0118) [Compare Source](astral-sh/uv@0.11.7...0.11.8) Released on 2026-04-27. ##### Enhancements - Add `--python-downloads-json-url` to `python pin` ([#​19092](astral-sh/uv#19092)) - Fetch uv from Astral mirror during self-update ([#​18682](astral-sh/uv#18682)) - Support `pip uninstall -y` ([#​19082](astral-sh/uv#19082)) - Allow `exclude-newer` to be missing from the lockfile when `exclude-newer-span` is present ([#​19024](astral-sh/uv#19024)) - Only show the version number in `uv self version --short` ([#​19019](astral-sh/uv#19019)) - Silence warnings on empty `SSL_CERT_DIR` directory ([#​19018](astral-sh/uv#19018)) - Use a sentinel timestamp for relative `exclude-newer` and `exclude-newer-package` values in lockfiles ([#​19022](astral-sh/uv#19022), [#​19101](astral-sh/uv#19101)) ##### Configuration - Add `UV_PYTHON_NO_REGISTRY` ([#​19035](astral-sh/uv#19035)) - Add an environment variable for `UV_NO_PROJECT` ([#​19052](astral-sh/uv#19052)) - Expose `UV_PYTHON_SEARCH_PATH` for Python discovery `PATH` overrides ([#​19034](astral-sh/uv#19034)) ##### Bug fixes - Add `rust-toolchain.toml` to uv-build sdist ([#​19131](astral-sh/uv#19131)) - Ensure uv invocations of git do not inherit repository location environment variables ([#​19088](astral-sh/uv#19088)) - Redact pre-signed upload URLs in verbose output ([#​19146](astral-sh/uv#19146)) - Handle transitive URL dependencies in PEP 517 build requirements ([#​19076](astral-sh/uv#19076), [#​19086](astral-sh/uv#19086)) - Support `uv lock` on a `pyproject.toml` that only contains dependency-groups ([#​19087](astral-sh/uv#19087)) - Disable transparent Python upgrades in projects when a patch version is requested via `.python-version` ([#​19102](astral-sh/uv#19102)) - Fix Python variant tagging in the Windows registry ([#​19012](astral-sh/uv#19012)) - Ban external symlinks in `.tar.zst` wheels ([#​19144](astral-sh/uv#19144)) ##### Distributions - Remove deprecated license classifiers from uv-build and add Python 3.14 classifier ([#​19130](astral-sh/uv#19130)) ##### Documentation - Bump astral-sh/setup-uv version in docs ([#​19030](astral-sh/uv#19030)) - Update PyTorch documentation for PyTorch 2.11 ([#​19095](astral-sh/uv#19095)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjguNSIsInVwZGF0ZWRJblZlciI6IjQzLjE2OC41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6cGF0Y2giXX0=-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Part of #18506. Closes #15254.
With this, we take the PEP 792 project status information (already present in our internal representations per #15254) and use it to produce appropriate adverse status reports (e.g.
hackme is quarantined).To do this we need to make (frequently cached) registry client requests, on top of whatever requests (currently just OSV) that
uv auditneeds to make for known vulnerabilities/malware.Test Plan
I've added unit and integration tests, along with some
pypi-proxyscaffolding changes to allow us to easily test different project statuses.