build(docker): bump astral-sh/uv from 0.9.30 to 0.10.0 in the docker group

[dependabot]

Bumps the docker group with 1 update: astral-sh/uv.

Updates astral-sh/uv from 0.9.30 to 0.10.0

Release notes

Sourced from astral-sh/uv's releases.

0.10.0

Release Notes

Since we released uv 0.9.0 in October of 2025, we've accumulated various changes that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes.

This release also includes the stabilization of preview features. Python upgrades are now stable, including the uv python upgrade command, uv python install --upgrade, and automatically upgrading Python patch versions in virtual environments when a new version is installed. The add-bounds and extra-build-dependencies settings are now stable. Finally, the uv workspace dir and uv workspace list utilities for writing scripts against workspace members are now stable.

Breaking changes

• Require --clear to remove existing virtual environments in uv venv (#17757)

  Previously, uv venv would prompt for confirmation before removing an existing virtual environment in interactive contexts, and remove it without confirmation in non-interactive contexts. Now, uv venv requires the --clear flag to remove an existing virtual environment. A warning for this change was added in uv 0.8.

  You can opt out of this behavior by passing the --clear flag or setting UV_VENV_CLEAR=1.

• Error if multiple indexes include default = true (#17011)

  Previously, uv would silently accept multiple indexes with default = true and use the first one. Now, uv will error if multiple indexes are marked as the default.

  You cannot opt out of this behavior. Remove default = true from all but one index.

• Error when an explicit index is unnamed (#17777)

  Explicit indexes can only be used via the [tool.uv.sources] table, which requires referencing the index by name. Previously, uv would silently accept unnamed explicit indexes, which could never be referenced. Now, uv will error if an explicit index does not have a name.

  You cannot opt out of this behavior. Add a name to the explicit index or remove the entry.

• Install alternative Python executables using their implementation name (#17756, #17760)

  Previously, uv python install would install PyPy, GraalPy, and Pyodide executables with names like python3.10 into the bin directory. Now, these executables will be named using their implementation name, e.g., pypy3.10, graalpy3.10, and pyodide3.12, to avoid conflicting with CPython installations.

  You cannot opt out of this behavior.

• Respect global Python version pins in uv tool run and uv tool install (#14112)

  Previously, uv tool run and uv tool install did not respect the global Python version pin (set via uv python pin --global). Now, these commands will use the global Python version when no explicit version is requested.

  For uv tool install, if the tool is already installed, the Python version will not change unless --reinstall or --python is provided. If the tool was previously installed with an explicit --python flag, the global pin will not override it.

  You can opt out of this behavior by providing an explicit --python flag.

• Remove Debian Bookworm, Alpine 3.21, and Python 3.8 Docker images (#17755)

  The Debian Bookworm and Alpine 3.21 images were replaced by Debian Trixie and Alpine 3.22 as defaults in uv 0.9. These older images are now removed. Python 3.8 images are also removed, as Python 3.8 is no longer supported in the Trixie or Alpine base images.

  The following image tags are no longer published:

  • uv:bookworm, uv:bookworm-slim
  • uv:alpine3.21
  • uv:python3.8-*

... (truncated)

Changelog

Sourced from astral-sh/uv's changelog.

0.10.0

Since we released uv 0.9.0 in October of 2025, we've accumulated various changes that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes.

This release also includes the stabilization of preview features. Python upgrades are now stable, including the uv python upgrade command, uv python install --upgrade, and automatically upgrading Python patch versions in virtual environments when a new version is installed. The add-bounds and extra-build-dependencies settings are now stable. Finally, the uv workspace dir and uv workspace list utilities for writing scripts against workspace members are now stable.

Breaking changes

• Require --clear to remove existing virtual environments in uv venv (#17757)

  Previously, uv venv would prompt for confirmation before removing an existing virtual environment in interactive contexts, and remove it without confirmation in non-interactive contexts. Now, uv venv requires the --clear flag to remove an existing virtual environment. A warning for this change was added in uv 0.8.

  You can opt out of this behavior by passing the --clear flag or setting UV_VENV_CLEAR=1.

• Error if multiple indexes include default = true (#17011)

  Previously, uv would silently accept multiple indexes with default = true and use the first one. Now, uv will error if multiple indexes are marked as the default.

  You cannot opt out of this behavior. Remove default = true from all but one index.

• Error when an explicit index is unnamed (#17777)

  Explicit indexes can only be used via the [tool.uv.sources] table, which requires referencing the index by name. Previously, uv would silently accept unnamed explicit indexes, which could never be referenced. Now, uv will error if an explicit index does not have a name.

  You cannot opt out of this behavior. Add a name to the explicit index or remove the entry.

• Install alternative Python executables using their implementation name (#17756, #17760)

  Previously, uv python install would install PyPy, GraalPy, and Pyodide executables with names like python3.10 into the bin directory. Now, these executables will be named using their implementation name, e.g., pypy3.10, graalpy3.10, and pyodide3.12, to avoid conflicting with CPython installations.

  You cannot opt out of this behavior.

• Respect global Python version pins in uv tool run and uv tool install (#14112)

  Previously, uv tool run and uv tool install did not respect the global Python version pin (set via uv python pin --global). Now, these commands will use the global Python version when no explicit version is requested.

  For uv tool install, if the tool is already installed, the Python version will not change unless --reinstall or --python is provided. If the tool was previously installed with an explicit --python flag, the global pin will not override it.

  You can opt out of this behavior by providing an explicit --python flag.

• Remove Debian Bookworm, Alpine 3.21, and Python 3.8 Docker images (#17755)

  The Debian Bookworm and Alpine 3.21 images were replaced by Debian Trixie and Alpine 3.22 as defaults in uv 0.9. These older images are now removed. Python 3.8 images are also removed, as Python 3.8 is no longer supported in the Trixie or Alpine base images.

  The following image tags are no longer published:

  • uv:bookworm, uv:bookworm-slim
  • uv:alpine3.21
  • uv:python3.8-*

  Use uv:debian or uv:trixie instead of uv:bookworm, uv:alpine or uv:alpine3.22 instead of uv:alpine3.21, and a newer Python version instead of uv:python3.8-*.

... (truncated)

Commits

• 0ba4324 Bump version to 0.10.0 (#17882)
• d2ab2d0 Stabilize Python upgrades (#17766)
• f3d5012 Update uv test features to use test- as a prefix (#17860)
• ba66db8 Avoid invalidating the lockfile versions after an exclude newer change (#17721)
• 8ed16f1 Bail when trying to attach ambiguous credentials instead of picking an arbitr...
• aaaad23 Bump the uv format ruff version to 0.15.0 (#17838)
• 4ae86f9 Respect global Python version pins in uv tool run and uv tool install (#1...
• 3632202 Require --clear to remove virtual environments (#17757)
• bd08ee3 Error when an explicit index is unnamed (#17777)
• 3ba3fe3 Install Pyodide executables as pyodide instead of python (#17760)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

KICS version: v2.1.19

Category Results CRITICAL 0 HIGH 0 MEDIUM 4 LOW 0 INFO 0 TRACE 0 TOTAL 4	Metric Values Files scanned 7 Files parsed 7 Files failed to scan 0 Total executed queries 73 Queries failed to execute 0 Execution time 1

Queries Results

Query Name Query Id Severity Platform Cwe Risk Score Category Experimental Description File Name Line Issue Type Search Key Expected Value Actual Value Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 5.7 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 94 MissingAttribute FROM={{dev AS compile}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends binutils patchelf && rm -rf /var/lib/apt/lists/*}} Package 'binutils' has version defined Package 'binutils' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 5.7 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 46 MissingAttribute FROM={{base AS dev}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends build-essential && rm -rf /var/lib/apt/lists/*}} Package 'build-essential' has version defined Package 'build-essential' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 5.7 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 36 MissingAttribute FROM={{debian:stable-slim@sha256:4448d44b91bf4a13cb1b4e02d9d5f87ed40621d6e33f0ae7b6ddf71d57e29364 AS base}}.RUN={{apt-get update && apt-get upgrade --yes && apt-get install --yes --no-install-recommends curl && rm -rf /var/lib/apt/lists/*}} Package 'curl' has version defined Package 'curl' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 5.7 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 94 MissingAttribute FROM={{dev AS compile}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends binutils patchelf && rm -rf /var/lib/apt/lists/*}} Package 'patchelf' has version defined Package 'patchelf' does not have version defined

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ COPYPASTE	jscpd	yes		no	no	1.06s
✅ DOCKERFILE	hadolint	1		0	0	0.4s
✅ EDITORCONFIG	editorconfig-checker	1		0	0	0.26s
✅ REPOSITORY	checkov	yes		no	no	13.83s
✅ REPOSITORY	gitleaks	yes		no	no	0.78s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	28.3s
✅ REPOSITORY	secretlint	yes		no	no	0.74s
✅ REPOSITORY	semgrep	yes		no	no	16.3s
✅ REPOSITORY	syft	yes		no	no	1.96s
✅ REPOSITORY	trivy	yes		no	no	7.6s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.08s
✅ REPOSITORY	trufflehog	yes		no	no	2.57s

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

[dependabot]

Looks like astral-sh/uv is no longer updatable, so this is no longer needed.