Support python uv as pip-compile compatible replacement

[avilaton]

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature description

We are trying to draft support for using https://github.com/astral-sh/uv as a replacement for pip-tools in dependabot.

The reason for this is that uv is much faster and many projects have already started switching to it. UV is a pip-tools compatible replacement written in rust.

If we are lucky, it should be as easy as changing pip-compile --stuff for uv pip compile --stuff and adding uv as one of the python helpers requirements.

[edgarrmondragon]

I think https://github.com/dependabot/dependabot-core/pull/10040 is ready for a review by the maintainers 🙂

[mistercrunch]

Linking my comment here https://github.com/astral-sh/uv/issues/5487#issuecomment-2407871061 around supporting multi-synchronized-outputs, which I think is super relevant to the uv/dependabot integration.

[EdmundGoodman]

In the related issue #10478, I have just but the following comment on a work-around for getting fairly similar functionality to Dependabot in the meantime before this issue is resolved:

This has also blocked us, so +1 for prioritising this.

As a stopgap in the meantime, I've hacked together a small GitHub Actions workflow which provides fairly similar functionality to unblock our project whilst we wait. A small demo is available here https://github.com/EdmundGoodman/update-bot if it is helpful to anyone else.

It slightly differs from dependabot in that it makes a PR on a cron schedule if any dependency can be updated rather than whenever a security vulnerability is found, but is good enough for us for now. It differs from other workflows I've seen in this thread, as it PRs rather than just directly committing to main which could break things.

This might require a tiny bit of modification to work with uv pip compile, but the general idea is the same so thought I'd also mention it here in case it can help anyone.