chore(deps): update docker

[bootc-bot]

This PR contains the following updates:

Package	Update	Change
astral-sh/uv	patch	0.10.2 → 0.10.9
nushell/nushell	minor	0.110.0 → 0.111.0
ossf/scorecard	minor	v5.1.1 → v5.4.0
rust-nightly	patch	nightly-2026-03-02 → nightly-2026-03-08

---

Release Notes

astral-sh/uv (astral-sh/uv)

v0.10.9

Compare Source

Released on 2026-03-06.

Enhancements

• Add fbgemm-gpu, fbgemm-gpu-genai, torchrec, and torchtune to the PyTorch list (#​18338)
• Add torchcodec to PyTorch List (#​18336)
• Log the duration we took before erroring (#​18231)
• Warn when using uv_build settings without uv_build (#​15750)
• Add fallback to /usr/lib/os-release on Linux system lookup failure (#​18349)
• Use cargo auditable to include SBOM in uv builds (#​18276)

Configuration

• Add an environment variable for UV_VENV_RELOCATABLE (#​18331)

Performance

• Avoid toml Document overhead (#​18306)
• Use a single global workspace cache (#​18307)

Bug fixes

• Continue on trampoline job assignment failures (#​18291)
• Handle the hard link limit gracefully instead of failing (#​17699)
• Respect build constraints for workspace members (#​18350)
• Revalidate editables and other dependencies in scripts (#​18328)
• Support Python 3.13+ on Android (#​18301)
• Support cp3-none-any (#​17064)
• Skip tool environments with broken links to Python on Windows (#​17176)

Documentation

• Add documentation for common marker values (#​18327)
• Improve documentation on virtual dependencies (#​18346)

v0.10.8

Compare Source

Released on 2026-03-03.

Python

• Add CPython 3.10.20
• Add CPython 3.11.15
• Add CPython 3.12.13

Enhancements

• Add Docker images based on Docker Hardened Images (#​18247)
• Add resolver hint when --exclude-newer filters out all versions of a package (#​18217)
• Configure a real retry minimum delay of 1s (#​18201)
• Expand uv_build direct build compatibility (#​17902)
• Fetch CPython from an Astral mirror by default (#​18207)
• Download uv releases from an Astral mirror in installers by default (#​18191)
• Add SBOM attestations to Docker images (#​18252)
• Improve hint for installing meson-python when missing as build backend (#​15826)

Configuration

• Add UV_INIT_BARE environment variable for uv init (#​18210)

Bug fixes

• Prevent uv tool upgrade from installing excluded dependencies (#​18022)
• Promote authentication policy when saving tool receipts (#​18246)
• Respect exclusions in scripts (#​18269)
• Retain default-branch Git SHAs in pylock.toml files (#​18227)
• Skip installed Python check for URL dependencies (#​18211)
• Respect constraints during --upgrade (#​18226)
• Fix uv tree orphaned roots and premature deduplication (#​17212)

Documentation

• Mention cooldown and tweak inline script metadata in dependency bots documentation (#​18230)
• Move cache prune in GitLab to after_script (#​18206)

v0.10.7

Compare Source

Released on 2026-02-27.

Bug fixes

• Fix handling of junctions in Windows Containers on Windows (#​18192)

Enhancements

• Activate logging for middleware retries (#​18200)
• Upload uv releases to a mirror (#​18159)

v0.10.6

Compare Source

Released on 2026-02-24.

Bug fixes

• Apply lockfile marker normalization for fork markers (#​18116)
• Fix Python version selection for scripts with a requires-python conflicting with .python-version (#​18097)
• Preserve file permissions when using reflinks on Linux (#​18187)

Documentation

• Remove verbose documentation from optional dependencies help text (#​18180)

v0.10.5

Compare Source

Released on 2026-02-23.

Enhancements

• Add hint when named index is found in a parent config file (#​18087)
• Add warning for uv lock --frozen (#​17859)
• Attempt to use reflinks by default on Linux (#​18117)
• Fallback to hardlinks after reflink failure before copying (#​18104)
• Filter pylock.toml wheels by tags and requires-python (#​18081)
• Validate wheel filenames are normalized during uv publish (#​17783)
• Fix message when exclude-newer invalidates the lock file (#​18100)
• Change the missing files log level to debug (#​18075)

Performance

• Improve performance of repeated conflicts with an extra (#​18094)

Bug fixes

• Fix --no-emit-workspace with --all-packages on single-member workspaces (#​18098)
• Fix UV_NO_DEFAULT_GROUPS rejecting truthy values like 1 (#​18057)
• Fix iOS detection (#​17973)
• Propagate project-level conflicts to package extras (#​18096)
• Use a global build concurrency semaphore (#​18054)

Documentation

• Update documentation heading for environment variable files (#​18122)
• Fix comment about uv export formats (#​17900)
• Make it clear that Windows is supported in user- and system- level configuration docs (#​18106)

v0.10.4

Compare Source

Released on 2026-02-17.

Enhancements

• Remove duplicate references to the affected paths when showing uv python errors (#​18008)
• Skip discovery of workspace members that contain only git-ignored files, including in sub-directories (#​18051)

Bug fixes

• Don't panic when initialising a package at the filesystem root (e.g. uv init / --name foo) (#​17983)
• Fix permissions on wheel and sdist files produced by the uv_build build backend (#​18020)
• Revert locked file change to fix locked files on NFS mounts (#​18071)

v0.10.3

Compare Source

Released on 2026-02-16.

Python

• Add CPython 3.15.0a6

Enhancements

• Don't open file locks for writing (#​17956)
• Make Windows trampoline error messages consistent with uv proper (#​17969)
• Log which preview features are enabled (#​17968)

Preview features

• Add support for ruff version constraints and exclude-newer in uv format (#​17651)
• Fix script path handling when target-workspace-discovery is enabled (#​17965)
• Use version constraints to select the default ruff version used by uv format (#​17977)

Bug fixes

• Avoid matching managed Python versions by prefixes, e.g. don't match CPython 3.10 when cpython-3.1 is specified (#​17972)
• Fix handling of --allow-existing with minor version links on Windows (#​17978)
• Fix panic when encountering unmanaged workspace members (#​17974)
• Improve accuracy of request timing (#​18007)
• Reject u64::MAX in version segments to prevent overflow (#​17985)

Documentation

• Reference Debian Trixie instead of Bookworm (#​17991)

nushell/nushell (nushell/nushell)

v0.111.0

Compare Source

This is the 0.111.0 release of Nushell. You can learn more about this release here: https://www.nushell.sh/blog/2026-02-28-nushell_v0_111_0.html

For convenience, we are providing full builds for Windows, Linux, and macOS. Be sure you have the requirements to enable all capabilities: https://www.nushell.sh/book/installation.html#dependencies

This release was made possible by PR contributions from @​132ikl, @​Ady0333, @​amaanq, @​andrewgazelka, @​app/dependabot, @​astral-l, @​ayax79, @​Bahex, @​benblank, @​blindFS, @​BluewyDiamond, @​cablehead, @​ChrisDenton, @​cptpiepmatz, @​cuiweixie, @​evolvomind, @​fdncred, @​fennewald, @​fmotalleb, @​hovancik, @​hustcer, @​InnocentZero, @​it-education-md, @​jlcrochet, @​Juhan280, @​kaathewisegit, @​KaiSforza, @​maxim-uvarov, @​monigarr, @​moooooji, @​NotTheDr01ds, @​pickx, @​pyz4, @​sgvictorino, @​smartcoder0777, @​stuartcarnie, @​teddygood, @​veeceey, @​weirdan, @​WindSoilder, @​ysthakur

ossf/scorecard (ossf/scorecard)

v5.4.0

Compare Source

What's Changed

General

• ✨ Added CLI flags to scan multiple repositories --repos, or an entire GitHub organization --org (#​4793, @​gabrielsoltz)

Checks

Branch-Protection

• 🐛 Fix branch-protection scoring so GitHub rulesets without include patterns are honored, eliminating false warnings for branches covered by those rulesets. (#​4835, @​trask)

Codeowners

• 🐛 add a codeowner expansion limit to prevent api exhaustion by @​spencerschrock in #​4817

Pinned-Dependencies

• 🐛 add check for empty github workflow uses by @​spencerschrock in #​4832

Vulnerabilities

• 🐛 Updated osv-scanner to v2.2.4 for Vulnerabilities detection. (#​4833, @​spencerschrock)

Docs

• 📖 fix dependencies typo by @​martincostello in #​4809

Other

• 🌱 MAINTAINERS: Add Adam Korczynski (AdamKorcz), ADA Logics by @​justaugustus in #​4808
• 🌱 cron add repositories: key Qwen, Meta-Llama, and OSS GPT repositories by @​mkdolan in #​4811
• 🌱 cron: repair GitHub project list with excess path components by @​spencerschrock in #​4819
• 🌱 Added additional AI project repos. by @​mkdolan in #​4838

New Contributors

• @​mkdolan made their first contribution in #​4811
• @​gabrielsoltz made their first contribution in #​4793

Full Changelog: ossf/scorecard@v5.3.0...v5.4.0

v5.3.0

Compare Source

What's Changed

General

• 🐛 Scorecard now skips dangling symlinks and detects symlink path traversal when run on local files. Note: Scorecard has always skipped all symlinks when run against a remote repository. (#​4785, @​spencerschrock)
• ✨ The scorecard serve command was refactored and fixed. It accepts HTTP requests, analyzes the repo, and returns the result over HTTP. by @​Fix3dP0int in #​4665

scorecard serve # will start serving on localhost:8080
curl http://localhost:8080?repo=github.com/ossf/scorecard&show_details=true
{"date":"2025-09-30T09:08:38-06:00","repo":{"name":"github.com/ossf/scorecard","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"scorecard":{"version":"devel","commit":"unknown"},"score":9.5 # rest omitted

Checks

Branch-Protection

• 🐛 Prevent ListReleases from failing a run for forges which don't support the operation (#​4677, @​JamieMagee)
• 🐛 Skip tag-only rulesets during Branch-Protection by @​trask in #​4699

Contributors

• 🐛 Fixed a nil pointer dereference in the Contributors check for GitHub repos analyzed with --file-mode=git (#​4705, @​spencerschrock)

Dangerous-Workflow

• ✨ Scorecard detects dangerous use of discussion title and body. (#​4719, @​AdamKorcz)
• ✨ Scorecard detects dangerous use of blocked_user.name and blocked_user.email (#​4720, @​AdamKorcz)

Fuzzing

• ✨ feat(jsx): support fuzzing in jsx files #​4663 by @​dsm23 in #​4664

Packaging

• 🐛 remove setup-go requirement for Packaging with goreleaser by @​AdamKorcz in #​4673
• ✨ Support Elixir packaging workflows (#​4684, @​AdamKorcz)

Pinned-Dependencies

• 🐛 Check for unpinned reusable workflow calls. (#​4681, @​AdamKorcz)
• 🐛 Support git URLs for calls to npm install. (#​4680, @​AdamKorcz)
• 🐛 Fixed a bug where URLs with surrounding quotes weren't being parsed (#​4736, @​Fix3dP0int)
• 🐛 Fixed a bug when looking up digests for unpinned docker image remediations. (#​4683, @​AdamKorcz)
• 🐛 Docker args are now evaluated when determining if container images are pinned. (#​4780, @​spencerschrock)
• 🐛 Files downloaded from a pinned GitHub reference are now marked as pinned even when downloaded across multiple commands by @​spencerschrock in #​4777

SAST

• 🐛 Fixed a bug where SAST probes would dereference a nil pointer(#​4675, @​AdamKorcz)
• ✨ add support for hadolint SAST by @​AdamKorcz in #​4688

Signed-Releases

• 🐛 Signed-Releases now detects signatures ending with .sigstore.json (#​4728, @​mark-adams)

Security-Policy

• ✨ Start recognizing escaped emails in security policy documents (#​4676, @​ralphbean)

Token-Permissions

• ✨ Add zizmorcore/zizmor-action to allow-list for use of security-events: write. (#​4758, @​martincostello)

Docs

• 📖 Capitalization and punctuation in CONTRIBUTING.md by @​dcaine125 in #​4714
• 📖 Docs improvements for package manager flags in README.md file by @​jakbrownbytes in #​4732
• 📖 document missing cron checks in README by @​spencerschrock in #​4707
• 📖 Rephrased the CI-Test description. by @​kailealee in #​4708
• 📖 Separated command and output in README by @​devon3583 in #​4731
• 📖 spelling fixes by @​scop in #​4750
• 📖 add error clarification for github branch protection errors by @​spencerschrock in #​4778
• 📖 Fix typo in TODO comment by @​deivid-rodriguez in #​4801

Other

• 🌱 move from golang/mock to uber/gomock by @​tylerauerbeck in #​4645
• 🌱 chore: add apache-maven by @​Ndacyayisenga-droid in #​4666
• 🌱 Add unit tests to cover collectPolicyHits by @​ralphbean in #​4674
• 🌱 security: pin GitHub Actions to commit hashes by @​harekrishnarai in #​4678
• 🌱 limit webhook payload size to 1024 bytes by @​spencerschrock in #​4700
• 🌱 add test cases for author name and email by @​AdamKorcz in #​4721
• 🌱 avoid unnecessary []byte to string conversions by @​spencerschrock in #​4539
• 🌱 cron: repair gitlab project list by @​spencerschrock in #​4658
• 🌱 add awslabs/mcp project to public data feed by @​scottschreckengaust in #​4739
• 🌱 cron: treat orgs with IP allowlist as inaccessible by @​spencerschrock in #​4747
• 🌱 chore: Add Hiero's hiero-did-sdk-js and hiero-hederium by @​jwagantall in #​4743
• 🐛 delete broken slsa-goreleaser workflow by @​martincostello in #​4776
• 🌱 migrate to golangci-lint v2 by @​spencerschrock in #​4641
• 🌱 Adds new Chromium dependencies to cron scan config. by @​renewitt in #​4794
• 🌱 migrate tablewriter dependency to v1 new API by @​spencerschrock in #​4796

New Contributors

• @​tylerauerbeck made their first contribution in #​4645
• @​dsm23 made their first contribution in #​4664
• @​Ndacyayisenga-droid made their first contribution in #​4666
• @​ralphbean made their first contribution in #​4674
• @​harekrishnarai made their first contribution in #​4678
• @​trask made their first contribution in #​4699
• @​dcaine125 made their first contribution in #​4714
• @​mark-adams made their first contribution in #​4728
• @​jakbrownbytes made their first contribution in #​4732
• @​kailealee made their first contribution in #​4708
• @​scottschreckengaust made their first contribution in #​4739
• @​devon3583 made their first contribution in #​4731
• @​scop made their first contribution in #​4750
• @​jwagantall made their first contribution in #​4743
• @​Fix3dP0int made their first contribution in #​4665
• @​deivid-rodriguez made their first contribution in #​4801

Full Changelog: ossf/scorecard@v5.2.1...v5.3.0

v5.2.1

Compare Source

What's Changed

Checks

Pinned-Dependencies

• 🐛 Fix pinned check for Dockerfiles with from scratch by @​AlexGustafsson in #​4643

Maintained

• 🐛 add nil-pointer check in issueActivityByProjectMember by @​AdamKorcz in #​4642

New Contributors

• @​AlexGustafsson made their first contribution in #​4643

Full Changelog: ossf/scorecard@v5.2.0...v5.2.1

v5.2.0

Compare Source

What's Changed

General

• ✨ Scorecard can now generate its output as an in-toto statement by specifying --format=intoto (#​4491, @​puerco)
• ✨ Improved the performance of --file-mode git (#​4563, @​spencerschrock)
• 🐛 Ensure artifactLocation in sarif output are escaped by @​xhochy in #​4619
• ✨ Scorecard now supports configuration files ending in either .yml or .yaml (#​4568, @​ratancs)
• 🌱 Go 1.23.0 is now required to build Scorecard or use it as a library. (#​4547, @​spencerschrock)

Checks

CI-Tests

• 🐛 Fixed detection for Cirrus CI (#​4564, @​spencerschrock)

Contributors

• ✨ Users listed in CODEOWNERS file in GitHub repos now contribute to Contributors check (#​4611, @​lharrison13)

SAST

• 🐛 SAST: Fixed an issue with Sonar Cloud not being detected due to a renamed GitHub app. (#​4541, @​spencerschrock)

Probes

• ✨ Added independent probe that checks for ecosystem specific non-memory safety practices in the codebase and flags them. (#​4499, @​balteravishay)

Documentation

• 📖 Fix grammar in maintained check messages. (#​4618, @​martincostello)
• 📖 Fix GitHub Actions badges in README.md by @​PeterDaveHello in #​4592
• 📖 MAINTAINERS: Reflect active project contributors and affiliations by @​justaugustus in #​4521

New Contributors

• @​puerco made their first contribution in #​4491
• @​ratancs made their first contribution in #​4568
• @​PeterDaveHello made their first contribution in #​4592
• @​rscohn2 made their first contribution in #​4596
• @​llindsaya made their first contribution in #​4605
• @​xhochy made their first contribution in #​4619
• @​ryjones made their first contribution in #​4628
  Full Changelog: ossf/scorecard@v5.1.1...v5.2.0

---

Configuration

📅 Schedule: Branch creation - "on sunday" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.