Support updating `uv.lock`

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

https://docs.github.com/en/code-security/dependabot

MIT License

4.74k stars 1.03k forks source link

Support updating `uv.lock` #10478

Open edgarrmondragon opened 3 months ago

edgarrmondragon commented 3 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Feature description

Now that uv has a lockfile, it would be nice if dependabot supported making updates to pyproject.toml and/or uv.lock using uv.

dvf commented 2 months ago

Hell ye 🙌

danieltalsky commented 1 month ago

We're stuck with Dependabot due to corporate reasons and we'd love Dependabot support for uv.lock files as soon as possible.

EdmundGoodman commented 1 month ago

This has also blocked us, so +1 for prioritising this.

As a stopgap in the meantime, I've hacked together a small GitHub Actions workflow which provides fairly similar functionality to unblock our project whilst we wait. A small demo is available here https://github.com/EdmundGoodman/update-bot if it is helpful to anyone else.

It slightly differs from dependabot in that it makes a PR on a cron schedule if any dependency can be updated rather than whenever a security vulnerability is found, but is good enough for us for now. It differs from other workflows I've seen in this thread, as it PRs rather than just directly committing to main which could break things.

inoa-jboliveira commented 3 weeks ago

Hi everyone, according to Astral, uv is used to download over 200M packages from pypi everyday.

I verified this info via BigQuery and it is true as yesterday there were 219M downloads from pypi out of 1950M downloads. A total of 11% of all requests made.

Another tool that dependabot supports is poetry and it only comprises <4% of all requests on the same date.

Please see that uv is a extremely relevant project that would be incredibly appreciated if dependabot supports. I don't know if there is any maintainer reading this, but please check the stats.

Query:

SELECT
    COUNT(IF(details.installer.name = 'uv', 1, NULL)) AS uv_downloads,
    COUNT(*) AS total_downloads,
    SAFE_DIVIDE(
        COUNT(IF(details.installer.name = 'uv', 1, NULL)),
        COUNT(*)
    ) * 100 AS percentage
FROM
  `bigquery-public-data.pypi.file_downloads` WHERE TIMESTAMP_TRUNC(timestamp, DAY) = TIMESTAMP("2024-11-06")

win845 commented 1 week ago

As this is taking a while, I have created a github action as a temporary workaround which mimics pip-complile for dependabot. The push.yml workflow is calling uv-sync.sh to generate a requirements.txt with pip-compile comment for dependabot to pick up

If the previous commit author is dependabot it will add the new updated requirements.txt as constraint to pyproject.toml and run uv lock to update the lockfile.

It exports uv.lock to requirements.txt and adds the pip-compile comment. (also if you forgot to do it yourself) Finally new uv.lock and requirements.txt are pushed as extra commit.

there is a demo https://github.com/win845/uv-light which has couple of outdated major and minor dependencies, causing dependabot to make pull requests.

NOTE: the extra commit in a github action will not retrigger the workflow again by convention