Uv

CLI

- Allow `--python` and `--system` on `pip compile` ([3115](https://github.com/astral-sh/uv/pull/3115))
- Remove `Option<bool>` for `--no-cache` ([3129](https://github.com/astral-sh/uv/pull/3129))
- Rename `--compile` to `--compile-bytecode` ([3102](https://github.com/astral-sh/uv/pull/3102))
- Accept `0`, `1`, and similar values for Boolean environment variables ([3113](https://github.com/astral-sh/uv/pull/3113))

Configuration

- Add `UV_REQUIRE_HASHES` environment variable ([3125](https://github.com/astral-sh/uv/pull/3125))
- Add negation flags to the CLI ([3050](https://github.com/astral-sh/uv/pull/3050))

Bug fixes

- Avoid fetching unnecessary extra versions during resolution ([3100](https://github.com/astral-sh/uv/pull/3100))
- Avoid deprioritizing recursive editables ([3133](https://github.com/astral-sh/uv/pull/3133))
- Avoid treating localhost URLs as local file paths ([3132](https://github.com/astral-sh/uv/pull/3132))
- Hide password in the index printed via `--emit-index-annotation` ([3112](https://github.com/astral-sh/uv/pull/3112))
- Restore seeding of authentication cache from index URLs ([3124](https://github.com/astral-sh/uv/pull/3124))

Breaking changes

Using the keyring requires a username to be provided on index URLs now. Previously, the username `oauth2accesstoken`
was assumed. This will affect Google Artifact Registry users using `--keyring-provider subprocess` and an index URL
without a username. The suggested fix is to add the required username to index URLs, e.g., `https://oauth2accesstoken<url>`.

See [2976](https://github.com/astral-sh/uv/pull/2976#discussion_r1566521453) for details.

Enhancements

- Allow passing a virtual environment path to `uv pip --python` ([3064](https://github.com/astral-sh/uv/pull/3064))
- Add compatibility argument for `pip list --outdated` ([3055](https://github.com/astral-sh/uv/pull/3055))

CLI

- Enable auto-wrapping of `--help` output ([3058](https://github.com/astral-sh/uv/pull/3058))
- Show `--require-hashes` CLI argument in help ([3093](https://github.com/astral-sh/uv/pull/3093))

Performance

- Incorporate heuristics to improve package prioritization ([3087](https://github.com/astral-sh/uv/pull/3087))

Bug fixes

- Fix HTTP authentication when the password includes percent encoded characters (e.g. with Google Artifact Registry) ([2822](https://github.com/astral-sh/uv/issues/2822))
- Use usernames from URLs when looking for credentials in netrc files and the keyring [2563](https://github.com/astral-sh/uv/issues/2563))
- Skip `HEAD` requests for indexes that return 403 (e.g. PyPICloud) ([3070](https://github.com/astral-sh/uv/pull/3070))
- Use kebab-case consistently ([3080](https://github.com/astral-sh/uv/pull/3080))
- Show package name in no version for direct dependency error ([3056](https://github.com/astral-sh/uv/pull/3056))
- Avoid erroring when encountering `.tar.bz2` source distributions ([3069](https://github.com/astral-sh/uv/pull/3069))

Enhancements

- Add a `--require-hashes` command-line setting ([2824](https://github.com/astral-sh/uv/pull/2824))
- Add hash-checking support to `install` and `sync` ([2945](https://github.com/astral-sh/uv/pull/2945))
- Add support for URL requirements in `--generate-hashes` ([2952](https://github.com/astral-sh/uv/pull/2952))
- Allow unnamed requirements for overrides ([2999](https://github.com/astral-sh/uv/pull/2999))
- Enforce and backtrack on invalid versions in source metadata ([2954](https://github.com/astral-sh/uv/pull/2954))
- Fall back to distributions without hashes in resolver ([2949](https://github.com/astral-sh/uv/pull/2949))
- Implement `--emit-index-annotation` to annotate source index for each package ([2926](https://github.com/astral-sh/uv/pull/2926))
- Log hard-link failures ([3015](https://github.com/astral-sh/uv/pull/3015))
- Support free-threaded Python ([2805](https://github.com/astral-sh/uv/pull/2805))
- Support unnamed requirements in `--require-hashes` ([2993](https://github.com/astral-sh/uv/pull/2993))
- Respect link mode for builds, in `uv pip compile` and for `uv venv` seed packages ([3016](https://github.com/astral-sh/uv/pull/3016))
- Force color for build error messages ([3032](https://github.com/astral-sh/uv/pull/3032))
- Surface invalid metadata as hints in error reports ([2850](https://github.com/astral-sh/uv/pull/2850))

Configuration

- Add `UV_BREAK_SYSTEM_PACKAGES` environment variable ([2995](https://github.com/astral-sh/uv/pull/2995))

CLI

- Remove some restrictions in argument groups ([3001](https://github.com/astral-sh/uv/pull/3001))

Bug fixes

- Add `--find-links` source distributions to the registry cache ([2986](https://github.com/astral-sh/uv/pull/2986))
- Allow comments after all `requirements.txt` entries ([3018](https://github.com/astral-sh/uv/pull/3018))
- Avoid cache invalidation on credentials renewal ([3010](https://github.com/astral-sh/uv/pull/3010))
- Avoid calling `normalize_path` with relative paths that extend beyond the current directory ([3013](https://github.com/astral-sh/uv/pull/3013))
- Deduplicate symbolic links between `purelib` and `platlib` ([3002](https://github.com/astral-sh/uv/pull/3002))
- Remove unused `--output-file` from `pip install` ([2975](https://github.com/astral-sh/uv/pull/2975))
- Strip query string when parsing filename from HTML index ([2961](https://github.com/astral-sh/uv/pull/2961))
- Update hashes without `--upgrade` if not present ([2966](https://github.com/astral-sh/uv/pull/2966))

Bug fixes

- Ignore direct URL distributions in prefetcher ([2943](https://github.com/astral-sh/uv/pull/2943))

Enhancements

- Show resolution diagnostics after `pip install` ([2829](https://github.com/astral-sh/uv/pull/2829))

Performance

- Speed up cold-cache `urllib3`-`boto3`-`botocore` performance with batched prefetching ([2452](https://github.com/astral-sh/uv/pull/2452))

Bug fixes

- Backtrack on distributions with invalid metadata ([2834](https://github.com/astral-sh/uv/pull/2834))
- Include LICENSE files in source distribution ([2855](https://github.com/astral-sh/uv/pull/2855))
- Respect `--no-build` and `--no-binary` in `--find-links` ([2826](https://github.com/astral-sh/uv/pull/2826))
- Respect cached local `--find-links` in install plan ([2907](https://github.com/astral-sh/uv/pull/2907))
- Avoid panic with multiple confirmation handlers ([2903](https://github.com/astral-sh/uv/pull/2903))
- Use scheme parsing to determine absolute vs. relative URLs ([2904](https://github.com/astral-sh/uv/pull/2904))
- Remove additional 'because' in resolution failure messages ([2849](https://github.com/astral-sh/uv/pull/2849))
- Use `miette` when printing `pip sync` resolution failures ([2848](https://github.com/astral-sh/uv/pull/2848))

Enhancements

- Allow conflicting Git URLs that refer to the same commit SHA ([2769](https://github.com/astral-sh/uv/pull/2769))
- Allow package lookups across multiple indexes via explicit opt-in (`--index-strategy unsafe-any-match`) ([2815](https://github.com/astral-sh/uv/pull/2815))
- Allow no-op `--no-compile` flag on CLI ([2816](https://github.com/astral-sh/uv/pull/2816))
- Upgrade `rs-async-zip` to support data descriptors ([2809](https://github.com/astral-sh/uv/pull/2809))

Bug fixes

- Avoid unused extras check in `pip install` for source trees ([2811](https://github.com/astral-sh/uv/pull/2811))
- Deduplicate editables during install commands ([2820](https://github.com/astral-sh/uv/pull/2820))
- Fix windows lock race: lock exclusive after all try lock errors ([2800](https://github.com/astral-sh/uv/pull/2800))
- Preserve `.git` suffixes and casing in Git dependencies ([2789](https://github.com/astral-sh/uv/pull/2789))
- Respect Git tags and branches that look like short commits ([2795](https://github.com/astral-sh/uv/pull/2795))
- Enable virtualenv creation on Windows with cpython-x86 ([2707](https://github.com/astral-sh/uv/pull/2707))

Documentation

- Document that uv is safe to run concurrently ([2818](https://github.com/astral-sh/uv/pull/2818))