Change8

0.8.6

Breaking Changes
📦 uvView on GitHub →
1 breaking8 features🐛 6 fixes🔧 6 symbols

Summary

uv 0.8.6 introduces strict ZIP validation to mitigate parser‑confusion attacks, adds CPython 3.13.6 support, per‑project build‑time env vars, and several bug fixes and enhancements.

⚠️ Breaking Changes

  • uv now validates ZIP files more strictly, rejecting repeated entries and other malformed ZIP archives; ZIPs that previously extracted successfully may now be rejected. Set the environment variable UV_INSECURE_NO_ZIP_VALIDATION to disable this validation if needed.

Migration Steps

  1. If a ZIP archive is rejected after upgrading to uv 0.8.6, set UV_INSECURE_NO_ZIP_VALIDATION=1 to retain the previous behavior.
  2. Review any custom build scripts that rely on environment variables; they can now be defined per‑project using the new build‑time env‑var support.

✨ New Features

  • Hardened ZIP streaming to reject repeated entries and malformed ZIP files (security hardening).
  • Added support for CPython 3.13.6.
  • Added support for per‑project build‑time environment variables.
  • Support for UV_NO_EDITABLE where the --no-editable flag is available.
  • cargo‑dist upgraded to include UV_INSTALLER_URL in the PowerShell installer.
  • h2 library upgraded to avoid too_many_internal_resets errors.
  • uv run now considers pythonw when copying entry points.
  • Documentation now ensures the symlink warning is shown.

🐛 Bug Fixes

  • Avoid invalid simplification with conflict markers.
  • Respect UV_HTTP_RETRIES in uv publish.
  • Support UV_NO_EDITABLE where --no-editable is supported.
  • Upgrade cargo-dist to add UV_INSTALLER_URL to PowerShell installer.
  • Upgrade h2 again to avoid too_many_internal_resets errors.
  • Consider pythonw when copying entry points in uv run.

🔧 Affected Symbols

uv.zipuv.publishuv.runuv.installcargo_disth2