v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.2.0

Compare Source

What's Changed

Dependency Upgrades

• Upgrade dependencies to Node 24 compatible versions by @​salmanmkc in #​1259
• Upgrade urllib3 from 2.5.0 to 2.6.3 in /__tests__/data by @​dependabot in #​1253 and #​1264

Full Changelog: actions/setup-python@v6...v6.2.0

v7.2.1: 🌈 update known checksums up to 0.9.28

Compare Source

Changes

🧰 Maintenance

• chore: update known checksums for 0.9.28 @​github-actions[bot] (#​744)
• chore: update known checksums for 0.9.27 @​github-actions[bot] (#​742)
• chore: update known checksums for 0.9.26 @​github-actions[bot] (#​734)
• chore: update known checksums for 0.9.25 @​github-actions[bot] (#​733)
• chore: update known checksums for 0.9.24 @​github-actions[bot] (#​730)

📚 Documentation

• Clarify impact of using actions/setup-python @​eifinger (#​732)

⬆️ Dependency updates

• Bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 @​dependabot[bot] (#​741)

v7.2.0: 🌈 add outputs python-version and python-cache-hit

Compare Source

Changes

Among some minor typo fixes and quality of life features for developers of actions the main feature of this release are new outputs:

• python-version: The Python version that was set (same content as existing UV_PYTHON)
• python-cache-hit: A boolean value to indicate the Python cache entry was found

While implementing this it became clear, that it is easier to handle the Python binaries in a separate cache entry. The added benefit for users is that the "normal" cache containing the dependencies can be used in all runs no matter if these cache the Python binaries or not.

[!NOTE]
This release will invalidate caches that contain the Python binaries. This happens a single time.

🐛 Bug fixes

• chore: remove stray space from UV_PYTHON_INSTALL_DIR message @​akx (#​720)

🚀 Enhancements

• add outputs python-version and python-cache-hit @​eifinger (#​728)
• Add action typings with validation @​krzema12 (#​721)

🧰 Maintenance

• fix: use uv_build backend for old-python-constraint-project @​eifinger (#​729)
• chore: update known checksums for 0.9.22 @​github-actions[bot] (#​727)
• chore: update known checksums for 0.9.21 @​github-actions[bot] (#​726)
• chore: update known checksums for 0.9.20 @​github-actions[bot] (#​725)
• chore: update known checksums for 0.9.18 @​github-actions[bot] (#​718)

⬆️ Dependency updates

• Bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 @​dependabot[bot] (#​719)
• Bump github/codeql-action from 4.31.6 to 4.31.9 @​dependabot[bot] (#​723)

v0.10.0

Compare Source

Since we released uv 0.9.0 in October of 2025, we've accumulated various changes that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes.

This release also includes the stabilization of preview features. Python upgrades are now stable, including the uv python upgrade command, uv python install --upgrade, and automatically upgrading Python patch versions in virtual environments when a new version is installed. The add-bounds and extra-build-dependencies settings are now stable. Finally, the uv workspace dir and uv workspace list utilities for writing scripts against workspace members are now stable.

Breaking changes

• Require --clear to remove existing virtual environments in uv venv (#​17757)

  Previously, uv venv would prompt for confirmation before removing an existing virtual environment in interactive contexts, and remove it without confirmation in non-interactive contexts. Now, uv venv requires the --clear flag to remove an existing virtual environment. A warning for this change was added in uv 0.8.

  You can opt out of this behavior by passing the --clear flag or setting UV_VENV_CLEAR=1.

• Error if multiple indexes include default = true (#​17011)

  Previously, uv would silently accept multiple indexes with default = true and use the first one. Now, uv will error if multiple indexes are marked as the default.

  You cannot opt out of this behavior. Remove default = true from all but one index.

• Error when an explicit index is unnamed (#​17777)

  Explicit indexes can only be used via the [tool.uv.sources] table, which requires referencing the index by name. Previously, uv would silently accept unnamed explicit indexes, which could never be referenced. Now, uv will error if an explicit index does not have a name.

  You cannot opt out of this behavior. Add a name to the explicit index or remove the entry.

• Install alternative Python executables using their implementation name (#​17756, #​17760)

  Previously, uv python install would install PyPy, GraalPy, and Pyodide executables with names like python3.10 into the bin directory. Now, these executables will be named using their implementation name, e.g., pypy3.10, graalpy3.10, and pyodide3.12, to avoid conflicting with CPython installations.

  You cannot opt out of this behavior.

• Respect global Python version pins in uv tool run and uv tool install (#​14112)

  Previously, uv tool run and uv tool install did not respect the global Python version pin (set via uv python pin --global). Now, these commands will use the global Python version when no explicit version is requested.

  For uv tool install, if the tool is already installed, the Python version will not change unless --reinstall or --python is provided. If the tool was previously installed with an explicit --python flag, the global pin will not override it.

  You can opt out of this behavior by providing an explicit --python flag.

• Remove Debian Bookworm, Alpine 3.21, and Python 3.8 Docker images (#​17755)

  The Debian Bookworm and Alpine 3.21 images were replaced by Debian Trixie and Alpine 3.22 as defaults in uv 0.9. These older images are now removed. Python 3.8 images are also removed, as Python 3.8 is no longer supported in the Trixie or Alpine base images.

  The following image tags are no longer published:

  • uv:bookworm, uv:bookworm-slim
  • uv:alpine3.21
  • uv:python3.8-*

  Use uv:debian or uv:trixie instead of uv:bookworm, uv:alpine or uv:alpine3.22 instead of uv:alpine3.21, and a newer Python version instead of uv:python3.8-*.

• Drop PPC64 (big endian) builds (#​17626)

  uv no longer provides pre-built binaries for PPC64 (big endian). This platform appears to be largely unused and is only supported on a single manylinux version. PPC64LE (little endian) builds are unaffected.

  Building uv from source is still supported for this platform.

• Skip generating activate.csh for relocatable virtual environments (#​17759)

  Previously, uv venv --relocatable would generate an activate.csh script that contained hardcoded paths, making it incompatible with relocation. Now, the activate.csh script is not generated for relocatable virtual environments.

  You cannot opt out of this behavior.

• Require username when multiple credentials match a URL (#​16983)

  When using uv auth login to store credentials, you can register multiple username and password combinations for the same host. Previously, when uv needed to authenticate and multiple credentials matched the URL (e.g., when retrieving a token with uv auth token), uv would pick the first match. Now, uv will error instead.

  You cannot opt out of this behavior. Include the username in the request, e.g., uv auth token --username foo example.com.

• Avoid invalidating the lockfile versions after an exclude-newer change (#​17721)

  Previously, changing the exclude-newer setting would cause package versions to be upgraded, ignoring the lockfile entirely. Now, uv will only change package versions if they are no longer within the exclude-newer range.

  You can restore the previous behavior by using --upgrade or --upgrade-package to opt-in to package version changes.

• Upgrade uv format to Ruff 0.15.0 (#​17838)

  uv format now uses Ruff 0.15.0, which uses the 2026 style guide. See the blog post for details.

  The formatting of code is likely to change. You can opt out of this behavior by requesting an older Ruff version, e.g., uv format --version 0.14.14.

• Update uv crate test features to use test- as a prefix (#​17860)

  This change only affects redistributors of uv. The Cargo features used to gate test dependencies, e.g., pypi, have been renamed with a test- prefix for clarity, e.g., test-pypi.

Stabilizations

• uv python upgrade and uv python install --upgrade (#​17766)

  When installing Python versions, an intermediary directory without the patch version attached will be created, and virtual environments will be transparently upgraded to new patch versions.

  See the Python version documentation for more details.

• uv add --bounds and the add-bounds configuration option (#​17660)

  This does not come with any behavior changes. You will no longer see an experimental warning when using uv add --bounds or add-bounds in configuration.

• uv workspace list and uv workspace dir (#​17768)

  This does not come with any behavior changes. You will no longer see an experimental warning when using these commands.

• extra-build-dependencies (#​17767)

  This does not come with any behavior changes. You will no longer see an experimental warning when using extra-build-dependencies in configuration.

Enhancements

• Improve ABI tag error message phrasing (#​17878)
• Introduce a 10s connect timeout (#​17733)
• Allow using pyx.dev as a target in uv auth commands despite PYX_API_URL differing (#​17856)

Bug fixes

• Support all CPython ABI tag suffixes properly (#​17817)
• Add support for detecting PowerShell on Linux and macOS (#​17870)
• Retry timeout errors for streams (#​17875)

v0.9.30

Compare Source

Release Notes

Released on 2026-02-04.

Python

• Add CPython 3.14.3 and 3.13.12 (#​17849)

Enhancements

• Allow comma-separated values for --extra option (#​17525)
• Check all files during a dry-run publish instead of stopping at the first failure (#​17785)
• Clarify UV_HTTP_TIMEOUT error message (#​17493)

Preview features

• Use relocatable virtual environments by default (#​17770)

Bug fixes

• Fix deadlock on token refresh in uv publish when using pyx (#​17832)
• Ignore global Python pins when incompatible with project (#​15473)

Install uv 0.9.30

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.30/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.9.30/uv-installer.ps1 | iex"

Download uv 0.9.30

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo astral-sh/uv

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

v0.9.29

Compare Source

Release Notes

Released on 2026-02-03.

Python

• Update to Pyodide 0.29.3 (#​17730)

Enhancements

• Add wheel-tag-style aliases for manylinux platform names (#​17750)
• Hint on uv version --bump dev similar to pre-release bumps (#​17796)
• Improve display of RFC 9457 Problem Detail responses in uv publish server errors (#​17787)
• Improve the wording of publish errors during dry-run (#​17782)
• Set backoff to 10 retries (#​17816)
• Add properties to synthentic and project roots in Cyclone DX exports (#​17820)
• Identify the invidividual clients in uv publish trace logs (#​17784)

Preview features

• Remove special casing for base and default conda environment names (#​17758)

Bug fixes

• Fix PYTHONHOME inheritance when spawning different Python versions (#​17821)
• Fix wheel rejections on freethreading+debug builds (#​17812)
• Pad with zeros during comparisons in EqualStar and NotEqualStar operators (#​17751)
• Reject unknown field names in conflict declarations (#​17727)
• Fix panics in system-configuration in sandboxes (#​17829)

Documentation

• Update pip pre-release compatibility information (#​17788)

Security

• Hide a subset of environment variable values in --help (#​17745)

Install uv 0.9.29

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.29/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.9.29/uv-installer.ps1 | iex"

Download uv 0.9.29

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo astral-sh/uv

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

v0.9.28

Compare Source

Release Notes

Released on 2026-01-29.

Python

• Update CPython to use OpenSSL 3.5.5 which includes fixes for high severity CVEs (python-build-standalone#960)

Enhancements

• Add support for Pyodide interpreter on Windows (#​17658)
• Warn if multiple indexes include default = true (#​17713)
• Skip uploads when validation reports 'Already uploaded' (#​17412)

Configuration

• Add a reflink alias for the "clone" link mode (#​17724)

Bug fixes

• Ensure uv.exe exits when uvw.exe or uvx.exe is killed (#​17500)

Install uv 0.9.28

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.28/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.9.28/uv-installer.ps1 | iex"

Download uv 0.9.28

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo astral-sh/uv

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

v4.32.2

Compare Source

• Update default CodeQL bundle version to 2.24.1. #​3460

v4.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v4.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v4.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v4.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

v46.0.1

Compare Source

Miscellaneous Chores

• deps: update dependency @​tsconfig/strictest to v2.0.8 (#​959) (6ba4a5c)
• deps: update dependency prettier-plugin-packagejson to v3 (#​999) (bce6a9f)
• deps: update dependency renovatebot/github-action to v46 (#​1011) (4d7de57)
• deps: update prettier packages (#​988) (8a6192f)

Build System

• deps: lock file maintenance (2fec032)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.0.6 (d361423)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.0.8 (c0ab525)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.0.9 (9f55a79)

v46.0.0

Compare Source

⚠ BREAKING CHANGES

• deps: Update ghcr.io/renovatebot/renovate Docker tag to v43 (#​993)

Features

• deps: Update ghcr.io/renovatebot/renovate Docker tag to v43 (#​993) (ae99b37)

v45.0.3

Compare Source

Bug Fixes

• deps: update dependency @​actions/core to v3 (#​1008) (d724dd3)

v45.0.2

Compare Source

Bug Fixes

• deps: update dependency @​actions/exec to v3 (#​1009) (e098430)

Miscellaneous Chores

• deps: replace dependency @​tsconfig/node20 with @​tsconfig/node22 (#​1010) (df519dc)
• deps: update dependency @​tsconfig/node22 to v22.0.5 (29e7d61)

v45.0.1

Compare Source

Bug Fixes

• deps: update dependency @​actions/core to v2 (#​1005) (ffd1bc7)
• deps: update dependency @​actions/exec to v2 (#​1007) (8680378)

Miscellaneous Chores

• deps: update dependency @​types/node to v24 (#​976) (d2b9da6)
• deps: update dependency globals to v17 (#​1001) (f391c83)
• deps: update dependency renovatebot/github-action to v45 (#​1006) (19b5bd8)
• renovate: fix config (#​998) (dffa4d4)
• renovate: group all renovate major updates (#​1003) (969380c)

Continuous Integration

• fix renovate comment for grouping (#​1004) (a07086a)

v45.0.0

Compare Source

⚠ BREAKING CHANGES

• Require node v24 (#​989)

Features

• Require node v24 (#​989) (569b928)

Miscellaneous Chores

• allow js explicit (#​991) (5b01b35)
• deps: update actions/cache action to v5.0.3 (5075ddc)
• deps: update dependency typescript-eslint to v8.53.1 (066c0b5)
• deps: update pnpm to v10.28.1 (c0fa679)
• renovate: group all Renovate updates together (#​992) (253db8a)
• renovater: exclude major from docs grouping (#​996) (4dfbc50)

Continuous Integration

• add auto reviewer (#​990) (5aaf050)
• deps: update ghcr.io/renovatebot/renovate docker tag to v42.92.10 (b74d2be)
• deps: update ghcr.io/renovatebot/renovate docker tag to v42.92.11 (6eb6ef2)
• deps: update ghcr.io/renovatebot/renovate docker tag to v42.92.5 (7996fff)
• deps: update ghcr.io/renovatebot/renovate docker tag to v42.92.9 (df65844)
• deps: update ghcr.io/renovatebot/renovate docker tag to v42.94.6 (4990c24)
• deps: update ghcr.io/renovatebot/renovate docker tag to v42.94.7 (e9974c0)
• deps: update ghcr.io/renovatebot/renovate docker tag to v42.95.0 (21d8fc4)
• deps: update ghcr.io/renovatebot/renovate docker tag to v42.95.1 (9332c36)