Merged
Conversation
thomasschafer
force-pushed
the
sbom-export-support
branch
3 times, most recently
from
31c2e14 to
4d897e8
Compare
thomasschafer
force-pushed
the
sbom-export-support
branch
5 times, most recently
from
9901b84 to
e110bcd
Compare
woodruffw
reviewed
Oct 31, 2025
Member
woodruffw
left a comment
woodruffw
left a comment
There was a problem hiding this comment.
Thanks! Some questions and nitpicks 🙂
thomasschafer
force-pushed
the
sbom-export-support
branch
3 times, most recently
from
332140c to
8e701cc
Compare
woodruffw
added
enhancement
thomasschafer
force-pushed
the
sbom-export-support
branch
from
8e701cc to
49fae89
Compare
woodruffw
reviewed
Nov 4, 2025
thomasschafer
force-pushed
the
sbom-export-support
branch
3 times, most recently
from
c6448e2 to
baa1457
Compare
woodruffw
reviewed
Nov 10, 2025
Member
woodruffw
left a comment
woodruffw
left a comment
There was a problem hiding this comment.
Thanks @thomasschafer! I flagged a couple of additional places in the snapshots that IMO would benefit from smaller trees/more hermeticity, but otherwise this looks pretty good to me.
woodruffw
reviewed
Nov 10, 2025
thomasschafer
force-pushed
the
sbom-export-support
branch
6 times, most recently
from
af937b0 to
982851b
Compare
See PR here for reasoning: CycloneDX/cyclonedx-property-taxonomy#142
docs: uv export documentation
thomasschafer
force-pushed
the
sbom-export-support
branch
2 times, most recently
from
88ddbc7 to
a3e49e6
Compare
Contributor
Author
|
Thank you both for the comments @konstin and @woodruffw ! Anything else for me to do here? |
thomasschafer
force-pushed
the
sbom-export-support
branch
from
a3e49e6 to
ed16beb
Compare
woodruffw
approved these changes
Nov 20, 2025
Member
woodruffw
left a comment
woodruffw
left a comment
There was a problem hiding this comment.
Thanks a ton @thomasschafer! We really appreciate your hard work on this.
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Nov 21, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.9.10` -> `0.9.11` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.9.11`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0911) [Compare Source](astral-sh/uv@0.9.10...0.9.11) Released on 2025-11-20. ##### Python - Add CPython 3.15.0a2 See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20251120) for details. ##### Enhancements - Add SBOM support to `uv export` ([#​16523](astral-sh/uv#16523)) - Publish to `crates.io` ([#​16770](astral-sh/uv#16770)) ##### Preview features - Add `uv workspace list --paths` ([#​16776](astral-sh/uv#16776)) - Fix the preview warning on `uv workspace dir` ([#​16775](astral-sh/uv#16775)) ##### Bug fixes - Fix `uv init` author serialization via `toml_edit` inline tables ([#​16778](astral-sh/uv#16778)) - Fix status messages without TTY ([#​16785](astral-sh/uv#16785)) - Preserve end-of-line comment whitespace when editing `pyproject.toml` ([#​16734](astral-sh/uv#16734)) - Disable `always-authenticate` when running under Dependabot ([#​16773](astral-sh/uv#16773)) ##### Documentation - Document the new behavior for free-threaded python versions ([#​16781](astral-sh/uv#16781)) - Improve note about build system in publish guide ([#​16788](astral-sh/uv#16788)) - Move do not upload publish note out of the guide into concepts ([#​16789](astral-sh/uv#16789)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
9 tasks
konstin
added a commit
that referenced
this pull request
Feb 18, 2026
## Summary This corrects a comment in the documentation to match the work done in #16523, and to match the documentation for `--format`, which states: ``` /// Supports `requirements.txt`, `pylock.toml` (PEP 751) and CycloneDX v1.5 JSON output formats. ``` ## Test Plan N/A --------- Co-authored-by: konstin <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a new SBOM format (CycloneDX v1.5 JSON) to the
uv exportcommand.One notable point about the implementation is the use of a synthetic root when using the
--all-packagesflag. This has been discussed separately in more detail, but on a high level, it is possible for workspace packages to be disconnected from the workspace root, so if we had the workspace root as the root component in the SBOM then in such cases there would be unreachable components, which causes issues with some SBOM tooling. By having a synthetic root we ensure that all components can be reached by traversing from the root of the SBOM.Resolves #6012
Test Plan
We've tested manually using a variety of uv projects locally, and have added a variety of tests to
crates/uv/tests/it/export.rs.