Skip to content

uv: fix CVE-2025-62518 #454422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 22, 2025
Merged

uv: fix CVE-2025-62518 #454422

merged 1 commit into from
Oct 22, 2025

Conversation

@Prince213
Copy link
Member

@Prince213 Prince213 commented Oct 22, 2025
edited
Loading

Related to:

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

github-actions[bot]
github-actions bot previously requested changes Oct 22, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

Please follow the backporting guidelines and cherry-pick with the -x flag.
This requires changes to the unstable master and staging branches first, before backporting them.

Occasionally, commits are not cherry-picked at all, for example when updating minor versions of packages which have already advanced to the next major on unstable.
These commits can optionally be marked with a Not-cherry-picked-because: <reason> footer.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Warning

Couldn't locate original commit hash in message of 000b8ec.

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

@Prince213 Prince213 added 1.severity: security Issues which raise a security issue, or PRs that fix one 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. labels Oct 22, 2025
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 501-1000 This PR causes many rebuilds on Linux and should normally target the staging branches. 4.workflow: backport This targets a stable branch labels Oct 22, 2025
@dotlambda dotlambda dismissed github-actions[bot]’s stale review October 22, 2025 02:41

We patch rather than bump the version.

dotlambda
dotlambda reviewed Oct 22, 2025
View reviewed changes
github-actions[bot]
github-actions bot previously requested changes Oct 22, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

Please follow the backporting guidelines and cherry-pick with the -x flag.
This requires changes to the unstable master and staging branches first, before backporting them.

Occasionally, commits are not cherry-picked at all, for example when updating minor versions of packages which have already advanced to the next major on unstable.
These commits can optionally be marked with a Not-cherry-picked-because: <reason> footer.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Warning

Couldn't locate original commit hash in message of a1d2687.

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

Prince213
Prince213 commented Oct 22, 2025
View reviewed changes
Copy link
Member Author

@Prince213 Prince213 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Built on x86_64-linux:

/nix/store/y6k316mbyp9g4m2m0j09m15y24c6yxc6-uv-0.7.22
/nix/store/fa6daxbcalxx6nj67ixmfbin108i65nm-python3.12-uv-0.7.22
/nix/store/gp400286199h6pvgwv0sp54gx7p9vmc4-python3.12-uv-build-0.7.22

@Prince213 Prince213 requested a review from dotlambda October 22, 2025 03:40
@nixpkgs-ci nixpkgs-ci bot added 6.topic: python Python is a high-level, general-purpose programming language. and removed 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. labels Oct 22, 2025
@dotlambda dotlambda dismissed github-actions[bot]’s stale review October 22, 2025 03:48

We patch rather than bump the version.

@Prince213 Prince213 mentioned this pull request Oct 22, 2025
Merged
13 tasks
@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Oct 22, 2025
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Oct 22, 2025
@GaetanLepage GaetanLepage added this pull request to the merge queue Oct 22, 2025
Merged via the queue into NixOS:staging-next-25.05 with commit b0a2466 Oct 22, 2025
32 of 36 checks passed
@Chaostheorie Chaostheorie mentioned this pull request Oct 22, 2025
Closed
@niklaskorz niklaskorz mentioned this pull request Oct 24, 2025
Closed
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drupol drupol drupol approved these changes

@dotlambda dotlambda dotlambda approved these changes

@GaetanLepage GaetanLepage GaetanLepage approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

@bengsparks bengsparks Awaiting requested review from bengsparks

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: backport This targets a stable branch 6.topic: python Python is a high-level, general-purpose programming language. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 501-1000 This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 12.approvals: 2 This PR was reviewed and approved by two persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Prince213 @drupol @dotlambda @GaetanLepage