Rust-Powered uv 0.11.8 adds mirror updates and lockfile controls

uv 0.11.8 landed on April 27 with a set of changes that matter less as a point release and more as proof that Rust is now sitting under one of the most operationally important tools in Python packaging. The new build tightens self-update with Astral mirror support, adds a python-downloads-json-url flag, and gives users more control over how uv discovers and installs Python.

That matters because uv is not a side project. Astral launched it on February 15, 2024 as a Rust-based Python package installer and resolver, framed it as a step toward a Cargo for Python, and folded Rye into the same broader packaging push. Astral still pitches uv as a single tool that can replace pip, pip-tools, pipx, poetry, pyenv, twine, and virtualenv, while claiming it runs 10-100x faster than pip. The distribution model reflects that mindset too: uv is shipped as a self-updating standalone binary, not as a conventional Python package.

The 0.11.8 release leans into environments where packaging has to work under constraints. New configuration knobs include UV_PYTHON_NO_REGISTRY, UV_NO_PROJECT, and UV_PYTHON_SEARCH_PATH, which give operators more control over registry lookups, project detection, and custom Python search paths. The lockfile side also got more flexible, with support for exclude-newer and exclude-newer-span, a practical change for teams that need to pin dependencies without freezing themselves into a corner. uv.lock remains the centerpiece here: Astral documents it as a cross-platform lockfile, and uv automatically locks and syncs projects when commands like uv run are used.

The hardening work is just as telling. The changelog adds rust-toolchain.toml to uv-build sdists, handles transitive URL dependencies in PEP 517 build requirements, supports uv lock on projects that only contain dependency-groups, and bans external symlinks in .tar.zst wheels. It also redacts pre-signed upload URLs in verbose output, a small but useful security cleanup that shows the tool is being treated like infrastructure, not a toy. For Rust watchers, that is the real story: uv keeps expanding the places where Rust code quietly runs the machinery behind everyday developer workflows.