Hash requirement enforcement now works with pylock.toml files, and data files are properly included in editable installs—two production-blocking fixes.
Summary
Hash pinning is a security control for supply chain integrity; breaking it on pylock.toml defeats reproducible builds. Data file inclusion in editable mode unblocks local development workflows for packages with non-Python assets.
Why it matters
Hash pinning is a security control for supply chain integrity; breaking it on pylock.toml defeats reproducible builds. Data file inclusion in editable mode unblocks local development workflows for packages with non-Python assets.
Implementation verdict
Drop-in replacement for uv ≥0.11.12. Run the shell or PowerShell installer, or download prebuilt for your platform. If you use pylock.toml with --require-hashes or editable installs with data files, upgrade now. No breaking changes.
Sources
Dev Signal
Get briefs like this in your inbox — free, 3x a week.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.