Support updating uv.lock

[edgarrmondragon]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Now that uv has a lockfile, it would be nice if dependabot supported making updates to pyproject.toml and/or uv.lock using uv.

Related:

• Support python uv as pip-compile compatible replacement #10039
• Support uv compiled requirements files #10040

[dvf]

Hell ye 🙌

[danieltalsky]

We're stuck with Dependabot due to corporate reasons and we'd love Dependabot support for uv.lock files as soon as possible.

[EdmundGoodman]

This has also blocked us, so +1 for prioritising this.

As a stopgap in the meantime, I've hacked together a small GitHub Actions workflow which provides fairly similar functionality to unblock our project whilst we wait. A small demo is available here https://github.com/EdmundGoodman/update-bot if it is helpful to anyone else.

It slightly differs from dependabot in that it makes a PR on a cron schedule if any dependency can be updated rather than whenever a security vulnerability is found, but is good enough for us for now. It differs from other workflows I've seen in this thread, as it PRs rather than just directly committing to main which could break things.

[inoa-jboliveira]

Hi everyone, according to Astral, uv is used to download over 200M packages from pypi everyday.

I verified this info via BigQuery and it is true as yesterday there were 219M downloads from pypi out of 1950M downloads. A total of 11% of all requests made.

Another tool that dependabot supports is poetry and it only comprises <4% of all requests on the same date.

Please see that uv is a extremely relevant project that would be incredibly appreciated if dependabot supports. I don't know if there is any maintainer reading this, but please check the stats.

Query:

SELECT
    COUNT(IF(details.installer.name = 'uv', 1, NULL)) AS uv_downloads,
    COUNT(*) AS total_downloads,
    SAFE_DIVIDE(
        COUNT(IF(details.installer.name = 'uv', 1, NULL)),
        COUNT(*)
    ) * 100 AS percentage
FROM
  `bigquery-public-data.pypi.file_downloads` WHERE TIMESTAMP_TRUNC(timestamp, DAY) = TIMESTAMP("2024-11-06")

[win845]

As this is taking a while, I have created a github action as a temporary workaround which mimics pip-complile for dependabot.
The push.yml workflow is calling uv-sync.sh to generate a requirements.txt with pip-compile comment for dependabot to pick up

If the previous commit author is dependabot it will add the new updated requirements.txt as constraint to pyproject.toml and run uv lock to update the lockfile.

It exports uv.lock to requirements.txt and adds the pip-compile comment. (also if you forgot to do it yourself)
Finally new uv.lock and requirements.txt are pushed as extra commit.

there is a demo https://github.com/win845/uv-light which has couple of outdated major and minor dependencies, causing dependabot to make pull requests.

NOTE: the extra commit in a github action will not retrigger the workflow again by convention

[sebastian-correa]

Can someone from the Dependabot team comment on if this is on their backlog and with what priority? I agree with @inoa-jboliveira that uv is picking up a lot of steam and not having Dependabot support is hindering its adoption in a couple projects I work on 😢.

[samuelhwilliams]

We switched to another tool for dependency management so that we could start using uv 🤷‍♂️ Just one datapoint of the effects of slow adoption here, but there are alternatives out there.

[bosd]

@samuelhwilliams What is the alternative with uv support you are using?

[chris48s]

@bosd Renovate's pep621 manager supports updating uv.lock https://docs.renovatebot.com/modules/manager/pep621/

[samuelhwilliams]

^ yep, that

[sebastian-correa]

Sorry to have to tag @dependabot (and this subset of arbitrarily chosen people from the group: @jeffwidman @abdulapopoola @jakecoffman @carlincherry @landongrindheim), but given this issue's history, it'd be fairly useful if you guys could provide some insight into its status, or point me to who to ask about this.

Is this on the backlog and with what priority? If not, are there any plans regarding uv + Dependabot?

[micahstairs]

@bosd Renovate's pep621 manager supports updating uv.lock https://docs.renovatebot.com/modules/manager/pep621/

I just migrated to renovate last week as a result of this limitation and it was a pretty smooth transition!

[abdulapopoola]

Hello everyone,

I apologize for the late responses and have some good news to share. Working on uv is on our roadmap for this quarter (Jan - Mar, 2025). We're still finetuning our plans and hope to eventually publish a public roadmap to make this easier.

Thanks for all the help and support!

[charliermarsh]

Awesome, that's great to hear @abdulapopoola. Thanks for sharing and feel free to tag me or @zanieb if you have any uv-specific questions.