ci(deps-dev): bump uv from 0.7.22 to 0.11.15#3089
Conversation
Bumps [uv](https://github.com/astral-sh/uv) from 0.7.22 to 0.11.15. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](astral-sh/uv@0.7.22...0.11.15) --- updated-dependencies: - dependency-name: uv dependency-version: 0.11.15 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dosubot
Bot
added
the
size:XS
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, straightforward dev-dependency bump of uv from 0.7.22 to 0.11.15 (pyproject.toml + uv.lock only).
Extended reasoning...
Overview
This is a Dependabot PR that bumps uv (a Python package manager) from 0.7.22 to 0.11.15 in the dev dependency group of the langfuse-cookbook project. Only two files are touched: pyproject.toml (the version specifier) and uv.lock (regenerated lockfile, including a revision = 2 → 3 bump). uv is a dev-only tool here — it is not imported or invoked at runtime by the docs site, so the upgrade has no effect on production behavior.
Security risks
None for this repo. The upstream release notes mention security fixes in uv itself (TAR parser differential, entry-point escape hardening), which slightly improves posture rather than introducing risk. No code, secrets, or auth paths are modified.
Level of scrutiny
Minimal scrutiny is appropriate. This is a mechanical, machine-generated dependency bump touching only TOML/lock metadata, scoped to a dev tool that doesn't ship in any built artifact or run in CI critical paths. The bug-hunting system found nothing.
Other factors
No prior reviews to reconcile, no unresolved comments, and the changes match exactly what Dependabot would produce for a uv bump. Safe to shadow-approve.
Bumps uv from 0.7.22 to 0.11.15.
Release notes
Sourced from uv's releases.
... (truncated)
Changelog
Sourced from uv's changelog.
... (truncated)
Commits
3cffe97Fix crates.io publish script lockfile (#19473)de16a7bBump version to 0.11.15 (#19472)cf826ccDisabletest_simultaneous_create_set_then_moveon Linux (#19469)2d566bcAllow retry ofcustom-publish-cratesseparately fromannounce(#19470)0588b8fRun release builds on maturin version bumps in CI (#19466)9a65753Enforce that entry points cannot escape in the scripts directory (#19464)d77d849Revert "Update maturin to v1.13.2 (#19445)" (#19465)5373e96Update Rust crate rustls to v0.23.40 (#19250)fb8d3d4Update Rust crate rustls-pki-types to v1.14.1 (#19251)078480dConfigure maturin and uv souv runcan be used to work on uv itself (#19461)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.