search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.69k stars 1.01k forks source link

Support updating `uv.lock` #10478

Open edgarrmondragon opened 2 months ago

edgarrmondragon commented 2 months ago

Is there an existing issue for this?

Feature description

Now that uv has a lockfile, it would be nice if dependabot supported making updates to pyproject.toml and/or uv.lock using uv.

Related:

dvf commented 1 month ago

Hell ye 🙌

danieltalsky commented 3 days ago

We're stuck with Dependabot due to corporate reasons and we'd love Dependabot support for uv.lock files as soon as possible.

EdmundGoodman commented 3 days ago

This has also blocked us, so +1 for prioritising this.

As a stopgap in the meantime, I've hacked together a small GitHub Actions workflow which provides fairly similar functionality to unblock our project whilst we wait. A small demo is available here https://github.com/EdmundGoodman/update-bot if it is helpful to anyone else.

It slightly differs from dependabot in that it makes a PR on a cron schedule if any dependency can be updated rather than whenever a security vulnerability is found, but is good enough for us for now. It differs from other workflows I've seen in this thread, as it PRs rather than just directly committing to main which could break things.