chore(deps): update ghcr.io/astral-sh/uv docker tag to v0.11.8

[renovate-bot-cbcoutinho]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/astral-sh/uv	final	patch	0.11.4 → 0.11.8

---

Release Notes

astral-sh/uv (ghcr.io/astral-sh/uv)

v0.11.8

Compare Source

Released on 2026-04-27.

Enhancements

• Add --python-downloads-json-url to python pin (#​19092)
• Fetch uv from Astral mirror during self-update (#​18682)
• Support pip uninstall -y (#​19082)
• Allow exclude-newer to be missing from the lockfile when exclude-newer-span is present (#​19024)
• Only show the version number in uv self version --short (#​19019)
• Silence warnings on empty SSL_CERT_DIR directory (#​19018)
• Use a sentinel timestamp for relative exclude-newer and exclude-newer-package values in lockfiles (#​19022, #​19101)

Configuration

• Add UV_PYTHON_NO_REGISTRY (#​19035)
• Add an environment variable for UV_NO_PROJECT (#​19052)
• Expose UV_PYTHON_SEARCH_PATH for Python discovery PATH overrides (#​19034)

Bug fixes

• Add rust-toolchain.toml to uv-build sdist (#​19131)
• Ensure uv invocations of git do not inherit repository location environment variables (#​19088)
• Redact pre-signed upload URLs in verbose output (#​19146)
• Handle transitive URL dependencies in PEP 517 build requirements (#​19076, #​19086)
• Support uv lock on a pyproject.toml that only contains dependency-groups (#​19087)
• Disable transparent Python upgrades in projects when a patch version is requested via .python-version (#​19102)
• Fix Python variant tagging in the Windows registry (#​19012)
• Ban external symlinks in .tar.zst wheels (#​19144)

Distributions

• Remove deprecated license classifiers from uv-build and add Python 3.14 classifier (#​19130)

Documentation

• Bump astral-sh/setup-uv version in docs (#​19030)
• Update PyTorch documentation for PyTorch 2.11 (#​19095)

v0.11.7

Compare Source

Released on 2026-04-15.

Python

• Upgrade CPython build to 2026041 including an OpenSSL security upgrade (#​19004)

Enhancements

• Elevate configuration errors to required-version mismatches (#​18977)
• Further improve TLS certificate validation messages (#​18933)
• Improve --exclude-newer hints (#​18952)

Preview features

• Fix --script handling in uv audit (#​18970)
• Fix traversal of extras in uv audit (#​18970)

Bug fixes

• De-quote workspace metadata in linehaul data (#​18966)
• Avoid installing tool workspace member dependencies as editable (#​18891)
• Emit JSON report for uv sync --check failures (#​18976)
• Filter and warn on invalid TLS certificates (#​18951)
• Fix equality comparisons for version specifiers with ~= operators (#​18960)
• Fix stale Python upgrade preview feature check in project environment construction (#​18961)
• Improve Windows path normalization (#​18945)

v0.11.6

Compare Source

Released on 2026-04-09.

This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.

Bug fixes

• Do not remove files outside the venv on uninstall (#​18942)
• Validate and heal wheel RECORD during installation (#​18943)
• Avoid uv cache clean errors due to Win32 path normalization (#​18856)

v0.11.5

Compare Source

Released on 2026-04-08.

Python

• Add CPython 3.13.13, 3.14.4, and 3.15.0a8 (#​18908)

Enhancements

• Fix build_system.requires error message (#​18911)
• Remove trailing path separators in path normalization (#​18915)
• Improve error messages for unsupported or invalid TLS certificates (#​18924)

Preview features

• Add exclude-newer to [[tool.uv.index]] (#​18839)
• uv audit: add context/warnings for ignored vulnerabilities (#​18905)

Bug fixes

• Normalize persisted fork markers before lock equality checks (#​18612)
• Clear junction properly when uninstalling Python versions on Windows (#​18815)
• Report error cleanly instead of panicking on TLS certificate error (#​18904)

Documentation

• Remove the legacy PIP_COMPATIBILITY.md redirect file (#​18928)
• Fix uv init example-bare --bare examples (#​18822, #​18925)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[claude]

PR Review: Dependency Update - uv 0.11.4 → 0.11.5

Summary: This is a Renovate Bot patch update for the ghcr.io/astral-sh/uv Docker base image. The change is minimal and safe.

Code Quality ✅

The diff is correct and follows best practices:

• Both the version tag and the SHA256 digest are updated together — this is the right approach for reproducible builds and supply chain security
• The pinned digest (sha256:555ac94f9a22e656fc5f2ce5dfee13b04e94d099e46bb8dd3a73ec7263f2e484) ensures the exact image is pulled regardless of any future tag reassignment

What's in uv 0.11.5

Per the release notes, this patch includes:

• Bug fixes: Normalizes persisted fork markers before lock equality checks, fixes Windows junction cleanup on Python uninstall, reports TLS certificate errors cleanly instead of panicking
• Enhancements: Improved error messages for TLS certificates and build_system.requires, trailing path separator normalization
• New Python versions: Adds CPython 3.13.13, 3.14.4, and 3.15.0a8 support

Potential Issues

None identified. This is a patch release with no breaking changes expected. The TLS and lock-file bug fixes are actually beneficial.

Security ✅

No concerns — the SHA256 digest pin is the correct security posture for Docker base images. Renovate correctly updates both the tag and digest together.

Recommendation

Approve and merge. This is a low-risk patch update with only bug fixes and minor enhancements. No test changes required since this only affects the build tooling layer, not application code.

[claude]

PR Review: Dependency Update — uv 0.11.4 → 0.11.6

This is a straightforward Renovate-generated patch bump. Here's my assessment:

Summary

Single-line change in Dockerfile: updates ghcr.io/astral-sh/uv from 0.11.4 to 0.11.6 with a matching digest update.

Security — Notable

v0.11.6 addresses a low-severity security advisory (GHSA-pjjw-68hj-v9mw): wheels with malformed RECORD entries could delete arbitrary files on uninstall. While low severity, this is still a meaningful reason to take the update promptly.

Code Quality

• The Dockerfile correctly pins both the version tag and the SHA256 digest — best practice for reproducible and secure Docker builds. The digest has been properly updated to match 0.11.6. ✓
• No other files changed; the update is minimal and correctly scoped.

What's in v0.11.5 and v0.11.6

v0.11.6: Security fix for malformed RECORD entries; Win32 path fix for uv cache clean

v0.11.5: CPython 3.13.13/3.14.4/3.15.0a8 support; TLS error message improvements; lock file normalization fix

Verdict

Safe to merge. Low-risk patch update that includes a security fix. No behavioral changes expected for the project's use of uv (dependency installation in Docker builds). No test changes needed.

---

Reviewed by Claude (claude-sonnet-4-6)

[claude]

PR Review

This is a straightforward Renovate-managed dependency update bumping ghcr.io/astral-sh/uv from 0.11.4 → 0.11.7 in the Dockerfile.

Assessment: Approve / Merge

What changed

Single line in Dockerfile: the COPY --from=ghcr.io/astral-sh/uv stage is updated with a new version tag and pinned SHA256 digest.

Positives

• SHA pinning is maintained — the image reference uses @sha256:... which is the correct security practice for Docker base images; this PR updates both the tag and the digest atomically.
• Security-relevant update — v0.11.6 (included in this range) resolves GHSA-pjjw-68hj-v9mw: wheels with malformed RECORD entries could delete arbitrary files on uninstall. Worth merging promptly for that alone.
• v0.11.7 adds an OpenSSL security upgrade in the bundled CPython build — another reason to prefer not leaving this open.
• Low risk — uv is used only as a build-time tool to install Python dependencies; the runtime image is not uv itself, so this change has no effect on runtime behaviour.

No concerns

No code logic, tests, or configuration changed. The SHA digest ensures reproducibility. Nothing to flag here.

[claude]

PR Review

Type: Routine dependency update (Renovate Bot)

Change: Updates ghcr.io/astral-sh/uv Docker image from 0.11.4 → 0.11.8 with pinned SHA256 digest.

Assessment: ✅ Approve

This is a straightforward patch-level bump across 4 versions. A few highlights worth noting:

Security: v0.11.6 resolves GHSA-pjjw-68hj-v9mw — a low severity advisory where wheels with malformed RECORD entries could delete arbitrary files on uninstall. This makes the upgrade worth doing sooner rather than later.

OpenSSL: v0.11.7 ships a CPython build with an OpenSSL security upgrade — another good reason to take this bump.

Code quality:

• The SHA256 digest is correctly updated alongside the version tag — maintains the reproducible/pinned image pattern already established in the Dockerfile. No issues here.
• No other files changed, which is expected for a uv toolchain bump.

No concerns with this change. Safe to merge.