Sync with upstream v325 #171
Merged
+95
−98
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently for historic reasons the buildpack adds the current working directory to `PATH`, due to adding an empty colon-delimited segment before the default Ubuntu `PATH`. This can cause errors if the app has a script/binary in its root directory that has the same name as a command the buildpack tries to run. For example, on Honeycomb I've seen internal errors when the buildpack attempts to locate the bundled pip, due to the `tail` command being run not being the command we expected: ``` -----> Installing pip 25.2, setuptools 70.3.0 and wheel 0.45.1 ./tail: line 1: heroku: command not found ! Internal Error: Unable to locate the Python stdlib's bundled pip. ``` Removing this customisation of `PATH` is a breaking change, but safer in the long run (and also matches the Python CNB behaviour). Any apps that call a script or binary that's in the root directory of their app from `bin/pre_compile` or `bin/post_compile` hook (or any other subprocess called by the buildpack) will now need to do so via an explicit relative path. For example, use `./my_command` not `my_command` when calling the script/binary. This change doesn't affect: - app behaviour at run-time (only during the build) - apps that call scripts in a subdirectory (eg `foo/my_command`) - apps that already use a relative path for scripts in the app's root directory (eg `./my_command`) GUS-W-20472356.
…1990) In heroku#1890 a warning was added if an existing Python virtual environment was found at `.venv/` or `venv/` in the root of the app dir, for the reasons described in that PR. Now that 3 months have passed, this warning is being converted to an error. Users with an inadvertently committed venv will need to follow the instructions in the error message to remove the venv directory from the Git index and add it to their `.gitignore` file. GUS-W-19127259.
Co-authored-by: heroku-linguist[bot] <136119646+heroku-linguist[bot]@users.noreply.github.com>
Previously if an app had only a `setup.py` file and no Python package manager files (such as `requirements.txt`, `Pipfile.lock`, `Poetry.lock` or `uv.lock`), the buildpack would install the project using `pip install --editable .` However, this implicit fallback doesn't make sense now that the buildpack supports multiple package managers, and so has to guess which package manager to use, and whether to install the project in editable mode or not. As such, in heroku#1897 this fallback was deprecated, and is now being sunset. This also brings the classic Python buildpack's behaviour in line with the Python CNB. Apps that only have a `setup.py` file will now need to add an explicit `requirements.txt` file containing: ``` --editable . ``` GUS-W-19275444.
Currently the buildpack will use whichever package manager it finds first, if the files of multiple package managers are found. This occasionally results in support tickets where the user believes the build to not be installing dependencies correctly, when in fact they are adding dependencies to the wrong package manager file. It also means historic users of third-party Poetry and uv buildpacks might not realise that the buildpack now natively supports those package managers (in a much more efficient way), if they missed our release announcements. As such, in November 2024 in heroku#1692 a warning was added, which we're now converting to an error. Users with multiple package manager files committed to their Git repo will need to pick one package manager and delete the files relating to the others. And users who are still using the third-party Poetry or uv buildpacks will need to remove those buildpacks from their app: https://devcenter.heroku.com/articles/managing-buildpacks#remove-classic-buildpacks Closes heroku#1691. GUS-W-18915632.
* Bump uv from 0.9.14 to 0.9.17 Bumps [uv](https://github.com/astral-sh/uv) from 0.9.14 to 0.9.17. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](astral-sh/uv@0.9.14...0.9.17) --- updated-dependencies: - dependency-name: uv dependency-version: 0.9.17 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Add changelog entry --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com>
Co-authored-by: heroku-linguist[bot] <136119646+heroku-linguist[bot]@users.noreply.github.com>
![semgrep-code-scalingo[bot]](https://avatars.githubusercontent.com/u/4868969?s=60&v=4){kind=small}
| @@ -1 +1 @@ | |||
| uv==0.9.14 | |||
| uv==0.9.17 | |||
There was a problem hiding this comment.
Legal Risk
uv 0.9.17 was released under the non-standard license, a license that
is currently prohibited by your organization. Merging is blocked until this is resolved.
Recommendation
Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license.
Member
There was a problem hiding this comment.
@Frzk Semgrep has apparently been configured to block the merge. You need to notify InfoSec to stop blocking PR merge for this reason...
EtienneM
approved these changes
Dec 30, 2025
| @@ -1 +1 @@ | |||
| uv==0.9.14 | |||
| uv==0.9.17 | |||
Member
There was a problem hiding this comment.
@Frzk Semgrep has apparently been configured to block the merge. You need to notify InfoSec to stop blocking PR merge for this reason...
Author
|
@EtienneM : It's already been validated by InfoSec :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to #170