chore(deps): update ghcr.io/astral-sh/uv docker tag to v0.7.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/astral-sh/uv	stage	minor	0.6.16 -> 0.7.2

---

Release Notes

astral-sh/uv (ghcr.io/astral-sh/uv)

v0.7.2

Compare Source

Enhancements

• Improve trace log for retryable errors (#​13228)
• Use "error" instead of "warning" for self-update message (#​13229)
• Error when uv version is used with project-specific flags but no project is found (#​13203)

Bug fixes

• Fix incorrect virtual environment invalidation for pre-release Python versions (#​13234)
• Fix patching of clang in managed Python sysconfig (#​13237)
• Respect --project in uv version (#​13230)

v0.7.1

Compare Source

Enhancement

• Add support for BLAKE2b-256 (#​13204)

Bugfix

• Revert fix handling of authentication when encountering redirects (#​13215)

v0.7.0

Compare Source

This release contains various changes that improve correctness and user experience, but could break some workflows; many changes have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes.

Breaking changes

• Update uv version to display and update project versions (#​12349)

  Previously, uv version displayed uv's version. Now, uv version will display or update the project's version. This interface was heavily requested and, after much consideration, we decided that transitioning the top-level command was the best option.

  Here's a brief example:

  $ uv init example
  Initialized project `example` at `./example`
  $ cd example
  $ uv version
  example 0.1.0
  $ uv version --bump major
  example 0.1.0 => 1.0.0
  $ uv version --short
  1.0.0

  If used outside of a project, uv will fallback to showing its own version still:

  $ uv version
  warning: failed to read project: No `pyproject.toml` found in current directory or any parent directory
    running `uv self version` for compatibility with old `uv version` command.
    this fallback will be removed soon, pass `--preview` to make this an error.
  
  uv 0.7.0 (4433f41c9 2025-04-29)

  As described in the warning, --preview can be used to error instead:

  $ uv version --preview
  error: No `pyproject.toml` found in current directory or any parent directory

  The previous functionality of uv version was moved to uv self version.

• Avoid fallback to subsequent indexes on authentication failure (#​12805)

  When using the first-index strategy (the default), uv will stop searching indexes for a package once it is found on a single index. Previously, uv considered a package as "missing" from an index during authentication failures, such as an HTTP 401 or HTTP 403 (normally, missing packages are represented by an HTTP 404). This behavior was motivated by unusual responses from some package indexes, but reduces the safety of uv's index strategy when authentication fails. Now, uv will consider an authentication failure as a stop-point when searching for a package across indexes. The index.ignore-error-codes option can be used to recover the existing behavior, e.g.:

  [[tool.uv.index]]
  name = "pytorch"
  url = "https://download.pytorch.org/whl/cpu"
  ignore-error-codes = [401, 403]

  Since PyTorch's indexes always return a HTTP 403 for missing packages, uv special-cases indexes on the pytorch.org domain to ignore that error code by default.

• Require the command in uvx <name> to be available in the Python environment (#​11603)

  Previously, uvx would attempt to execute a command even if it was not provided by a Python package. For example, if we presume foo is an empty Python package which provides no command, uvx foo would invoke the foo command on the PATH (if present). Now, uv will error early if the foo executable is not provided by the requested Python package. This check is not enforced when --from is used, so patterns like uvx --from foo bash -c "..." are still valid. uv also still allows uvx foo where the foo executable is provided by a dependency of foo instead of foo itself, as this is fairly common for packages which depend on a dedicated package for their command-line interface.

• Use index URL instead of package URL for keyring credential lookups (#​12651)

  When determining credentials for querying a package URL, uv previously sent the full URL to the keyring command. However, some keyring plugins expect to receive the index URL (which is usually a parent of the package URL). Now, uv requests credentials for the index URL instead. This behavior matches pip.

• Remove --version from subcommands (#​13108)

  Previously, uv allowed the --version flag on arbitrary subcommands, e.g., uv run --version. However, the --version flag is useful for other operations since uv is a package manager. Consequently, we've removed the --version flag from subcommands — it is only available as uv --version.

• Omit Python 3.7 downloads from managed versions (#​13022)

  Python 3.7 is EOL and not formally supported by uv; however, Python 3.7 was previously available for download on a subset of platforms.

• Reject non-PEP 751 TOML files in install, compile, and export commands (#​13120, #​13119)

  Previously, uv treated arbitrary .toml files passed to commands (e.g., uv pip install -r foo.toml or uv pip compile -o foo.toml) as requirements.txt-formatted files. Now, uv will error instead. If using PEP 751 lockfiles, use the standardized format for custom names instead, e.g., pylock.foo.toml.

• Ignore arbitrary Python requests in version files (#​12909)

  uv allows arbitrary strings to be used for Python version requests, in which they are treated as an executable name to search for in the PATH. However, using this form of request in .python-version files is non-standard and conflicts with pyenv-virtualenv which writes environment names to .python-version files. In this release, uv will now ignore requests that are arbitrary strings when found in .python-version files.

• Error on unknown dependency object specifiers (12811)

  The [dependency-groups] entries can include "object specifiers", e.g. set-phasers-to = ... in:

  [dependency-groups]
  foo = ["pyparsing"]
  bar = [{set-phasers-to = "stun"}]

  However, the only current spec-compliant object specifier is include-group. Previously, uv would ignore unknown object specifiers. Now, uv will error.

• Make --frozen and --no-sources conflicting options (#​12671)

  Using --no-sources always requires a new resolution and --frozen will always fail when used with it. Now, this conflict is encoded in the CLI options for clarity.

• Treat empty UV_PYTHON_INSTALL_DIR and UV_TOOL_DIR as unset (#​12907, #​12905)

  Previously, these variables were treated as set to the current working directory when set to an empty string. Now, uv will ignore these variables when empty. This matches uv's behavior for other environment variables which configure directories.

Enhancements

• Disallow mixing requirements across PyTorch indexes (#​13179)
• Add optional managed Python archive download cache (#​12175)
• Add poetry-core as a uv init build backend option (#​12781)
• Show tag hints when failing to find a compatible wheel in pylock.toml (#​13136)
• Report Python versions in pyvenv.cfg version mismatch (#​13027)

Bug fixes

• Avoid erroring on omitted wheel-only packages in pylock.toml (#​13132)
• Fix display name for uvx --version (#​13109)
• Restore handling of authentication when encountering redirects (#​13050)
• Respect build options (--no-binary et al) in pylock.toml (#​13134)
• Use upload-time rather than upload_time in uv.lock (#​13176)

Documentation

• Changed fish completions append >> to overwrite > (#​13130)
• Add pylock.toml mentions where relevant (#​13115)
• Add ROCm example to the PyTorch guide (#​13200)
• Upgrade PyTorch guide to CUDA 12.8 and PyTorch 2.7 (#​13199)

v0.6.17

Compare Source

Release Notes

Preview features

• Add PyTorch v2.7.0 to GPU backend (#​13072)

Bug fixes

• Avoid panic for invalid Python versions (#​13077)
• Block scripts from overwriting python (#​13051)
• Check distribution names to handle invalid redirects (#​12917)
• Check for mismatched package and distribution names on resolver thread (#​13088)
• Fix panic with invalid last character in PEP 508 name (#​13105)
• Reject requires-python even if not listed on the index page (#​13086)

Install uv 0.6.17

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.6.17/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.6.17/uv-installer.ps1 | iex"

Download uv 0.6.17

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
uv-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
uv-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
uv-powerpc64-unknown-linux-gnu.tar.gz	PPC64 Linux	checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
uv-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
uv-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum
uv-armv7-unknown-linux-gnueabihf.tar.gz	ARMv7 Linux	checksum
uv-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
uv-i686-unknown-linux-musl.tar.gz	x86 MUSL Linux	checksum
uv-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum
uv-arm-unknown-linux-musleabihf.tar.gz	ARMv6 MUSL Linux (Hardfloat)	checksum
uv-armv7-unknown-linux-musleabihf.tar.gz	ARMv7 MUSL Linux	checksum

---

Configuration

📅 Schedule: Branch creation - "before 4am on Friday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🦙 MegaLinter status: ⚠️ WARNING

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
⚠️ BASH	bash-exec	6		1	0	0.03s
✅ BASH	shellcheck	6		0	0	0.26s
✅ BASH	shfmt	6	0	0	0	0.87s
✅ COPYPASTE	jscpd	yes		no	no	2.74s
✅ DOCKERFILE	hadolint	131		0	0	32.34s
✅ JSON	jsonlint	20		0	0	0.19s
✅ JSON	v8r	22		0	0	16.14s
⚠️ MARKDOWN	markdownlint	269	0	304	0	22.48s
✅ MARKDOWN	markdown-table-formatter	269	0	0	0	139.56s
⚠️ PYTHON	bandit	219		67	0	5.93s
✅ PYTHON	black	219	0	0	0	5.53s
✅ PYTHON	flake8	219		0	0	2.3s
✅ PYTHON	isort	219	0	0	0	1.19s
✅ PYTHON	mypy	219		0	0	12.08s
✅ PYTHON	pylint	219		0	0	35.16s
✅ PYTHON	ruff	219	0	0	0	0.81s
✅ REPOSITORY	checkov	yes		no	no	42.39s
✅ REPOSITORY	git_diff	yes		no	no	0.93s
⚠️ REPOSITORY	grype	yes		27	no	30.68s
✅ REPOSITORY	secretlint	yes		no	no	8.83s
✅ REPOSITORY	syft	yes		no	no	2.38s
✅ REPOSITORY	trivy	yes		no	no	10.36s
✅ REPOSITORY	trivy-sbom	yes		no	no	21.24s
✅ REPOSITORY	trufflehog	yes		no	no	4.2s
✅ SPELL	cspell	727		0	0	14.13s
⚠️ SPELL	lychee	351		32	0	6.44s
✅ XML	xmllint	3	0	0	0	1.3s
✅ YAML	prettier	160	0	0	0	4.11s
✅ YAML	v8r	103		0	0	32.45s
✅ YAML	yamllint	161		0	0	4.09s

See detailed report in MegaLinter reports