Respect URL-encoded credentials in redirect location#14315
Merged
Conversation
jtfmumm
added
bug
jtfmumm
changed the title
jtfmumm
temporarily deployed
to
uv-test-registries
GitHub Actions
Inactive
charliermarsh
approved these changes
Jun 27, 2025
Member
charliermarsh
left a comment
charliermarsh
left a comment
There was a problem hiding this comment.
This seems reasonable to me, though with auth it's always hard to predict whether some obscure setup will break 😭
Contributor
Author
I think this is a pretty rare case in general, but we'll see! |
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Jun 29, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.7.14` -> `0.7.16` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.7.16`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0716) [Compare Source](astral-sh/uv@0.7.15...0.7.16) ##### Python - Add Python 3.14.0b3 See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250626) for more details. ##### Enhancements - Include path or URL when failing to convert in lockfile ([#​14292](astral-sh/uv#14292)) - Warn when `~=` is used as a Python version specifier without a patch version ([#​14008](astral-sh/uv#14008)) ##### Preview features - Ensure preview default Python installs are upgradeable ([#​14261](astral-sh/uv#14261)) ##### Performance - Share workspace cache between lock and sync operations ([#​14321](astral-sh/uv#14321)) ##### Bug fixes - Allow local indexes to reference remote files ([#​14294](astral-sh/uv#14294)) - Avoid rendering desugared prefix matches in error messages ([#​14195](astral-sh/uv#14195)) - Avoid using path URL for workspace Git dependencies in `requirements.txt` ([#​14288](astral-sh/uv#14288)) - Normalize index URLs to remove trailing slash ([#​14245](astral-sh/uv#14245)) - Respect URL-encoded credentials in redirect location ([#​14315](astral-sh/uv#14315)) - Lock the source tree when running setuptools, to protect concurrent builds ([#​14174](astral-sh/uv#14174)) ##### Documentation - Note that GCP Artifact Registry download URLs must have `/simple` component ([#​14251](astral-sh/uv#14251)) ### [`v0.7.15`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0715) [Compare Source](astral-sh/uv@0.7.14...0.7.15) ##### Enhancements - Consistently use `Ordering::Relaxed` for standalone atomic use cases ([#​14190](astral-sh/uv#14190)) - Warn on ambiguous relative paths for `--index` ([#​14152](astral-sh/uv#14152)) - Skip GitHub fast path when rate-limited ([#​13033](astral-sh/uv#13033)) - Preserve newlines in `schema.json` descriptions ([#​13693](astral-sh/uv#13693)) ##### Bug fixes - Add check for using minor version link when creating a venv on Windows ([#​14252](astral-sh/uv#14252)) - Strip query parameters when parsing source URL ([#​14224](astral-sh/uv#14224)) ##### Documentation - Add a link to PyPI FAQ to clarify what per-project token is ([#​14242](astral-sh/uv#14242)) ##### Preview features - Allow symlinks in the build backend ([#​14212](astral-sh/uv#14212)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90Il19-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
uv currently ignores URL-encoded credentials in a redirect location. This PR adds a check for these credentials to the redirect handling logic. If found, they are moved to the Authorization header in the redirect request.
Closes #11097