Bump uv from 0.11.6 to 0.11.15

[dependabot]

Bumps uv from 0.11.6 to 0.11.15.

Release notes

Sourced from uv's releases.

0.11.15

Release Notes

Released on 2026-05-18.

Security

• Fix a TAR parser differential, see GHSA-3cv2-h65g-fgmm (#19463)
• Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph (#19464)

Enhancements

• Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#18741)
• Add support for Azure request signing (#19421)
• Apply stricter validation to all wheel filename segments (#19364)
• Reject empty strings as an invalid package name (#19435)
• Use structured errors for signing authentication failures (#19422)

Preview

• uv audit: Add JSON output (#19305)

Configuration

• Respect required-environments in uv pip compile (#19378)

Performance

• Avoid parsing JSON manifest when local Python is available (#19398)
• Avoid walking nested directories in linker conflict registration (#19382)
• Optimize async wheel ZIP writing (#19383)
• Fix dead "already trimmed" fast-path in Version::only_release_trimmed (#19425)

Bug fixes

• Apply workspace-member [tool.uv.sources] credentials under uv sync --frozen (#19423)
• Skip empty directories in uv build outputs (#19437)
• Fix Git submodule handling when using relative paths (#12156)
• Fix line number reporting in netrc parsing (#19452)

Documentation

• Move Bazel auth helper setup into integration guide (#19392)

Install uv 0.11.15

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.15/uv-installer.sh | sh
</tr></table> 

... (truncated)

Changelog

Sourced from uv's changelog.

0.11.15

Released on 2026-05-18.

Security

• Fix a TAR parser differential, see GHSA-3cv2-h65g-fgmm (#19463)
• Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph (#19464)

Enhancements

• Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#18741)
• Add support for Azure request signing (#19421)
• Apply stricter validation to all wheel filename segments (#19364)
• Reject empty strings as an invalid package name (#19435)
• Use structured errors for signing authentication failures (#19422)

Preview

• uv audit: Add JSON output (#19305)

Configuration

• Respect required-environments in uv pip compile (#19378)

Performance

• Avoid parsing JSON manifest when local Python is available (#19398)
• Avoid walking nested directories in linker conflict registration (#19382)
• Optimize async wheel ZIP writing (#19383)
• Fix dead "already trimmed" fast-path in Version::only_release_trimmed (#19425)

Bug fixes

• Apply workspace-member [tool.uv.sources] credentials under uv sync --frozen (#19423)
• Skip empty directories in uv build outputs (#19437)
• Fix Git submodule handling when using relative paths (#12156)
• Fix line number reporting in netrc parsing (#19452)

Documentation

• Move Bazel auth helper setup into integration guide (#19392)

0.11.14

Released on 2026-05-12.

Enhancements

• Add Astral mirror URL override (#19206)

... (truncated)

Commits

• 3cffe97 Fix crates.io publish script lockfile (#19473)
• de16a7b Bump version to 0.11.15 (#19472)
• cf826cc Disable test_simultaneous_create_set_then_move on Linux (#19469)
• 2d566bc Allow retry of custom-publish-crates separately from announce (#19470)
• 0588b8f Run release builds on maturin version bumps in CI (#19466)
• 9a65753 Enforce that entry points cannot escape in the scripts directory (#19464)
• d77d849 Revert "Update maturin to v1.13.2 (#19445)" (#19465)
• 5373e96 Update Rust crate rustls to v0.23.40 (#19250)
• fb8d3d4 Update Rust crate rustls-pki-types to v1.14.1 (#19251)
• 078480d Configure maturin and uv so uv run can be used to work on uv itself (#19461)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.15%. Comparing base (7317ad1) to head (b676a56).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2550   +/-   ##
=======================================
  Coverage   99.15%   99.15%           
=======================================
  Files          41       41           
  Lines        3094     3094           
  Branches      669      669           
=======================================
  Hits         3068     3068           
  Misses         14       14           
  Partials       12       12           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.