feat(managers): add support for uv universal locking

[mkniewallner]

Changes

• Closes New python package manager: uv #27841.

Note

If this contribution is accepted, we'll need to install uv in https://github.com/containerbase/base, but before doing that, I'd prefer to know if the contribution will be accepted. I also have a question related to how the dependency should be installed, that could determine how the dependency will be installed in the Docker image.

This PR implements partial support for uv by focusing on supporting the new universal lock file (uv.lock).

Context

uv supports 2 ways of managing and locking dependencies:

• in a pip-tools fashion, where dependencies are locked into a requirements.txt file
• in a universal way, where dependencies are locked into a uv.lock file

In both situations, it is possible to define the dependencies using PEP 621, which Renovate already supports.

Although the linked issue mostly discussed supporting the pip-tools way of locking dependencies (because at the time, universal locking did not exist), this PR is about implementing uv.lock support.

For the implementation, I took a lot of inspiration from the already implemented pdm manager, which is really close to uv, since both tools support universal locking and are built on top of PEP 621.

Things implemented

Support for [tool.uv.dev-dependencies]

Documentation: https://docs.astral.sh/uv/concepts/dependencies/#development-dependencies

We basically have a single list of dependencies (unlike PDM, which allows creating multiple groups of development dependencies)

Updating lock file on pyproject.toml updates

Documentation: https://docs.astral.sh/uv/reference/cli/#uv-lock

uv supports updating specific packages in the lock file by passing --upgrade-package option. Weirdly, the option is not listed in the documentation above, but we can find it in the CLI:

$ uv lock --help | grep -- '--upgrade-package'
  -P, --upgrade-package <UPGRADE_PACKAGE>  Allow upgrades for a specific package, ignoring pinned versions in any existing output file. Implies `--refresh-package`

Lock file maintenance

Documentation: https://docs.astral.sh/uv/reference/cli/#uv-lock

uv supports refreshing the lock file for transitive dependencies by using uv lock --upgrade. Unlike PDM, --upgrade is necessary here, because by default, uv will not try to refresh any dependency in the lock file, unless there are updates in pyproject.toml that require to update it. So by passing --upgrade, we update all dependencies to the latest available while respecting ranges in pyproject.toml.

Things let aside for now

As mentioned earlier, this PR does not implement the 2nd way of locking dependencies: in a pip-tools fashion. We could also support this later though, but I believe we'd first have to define how to differentiate uv from the real pip-tools, since both use the same output file.

Another thing I did not add is the extraction of locked versions in extractLockedVersions method, which is something implemented in PDM. Although it should not be too complex to handle, I intentionally chose to let it aside for now, because the universal lock file is quite new, and could be subject to changes as projects start switching to it. Case in point, the most recent breaking change to it was last week (astral-sh/uv#5861). Once things stabilise, we can of course add support for reading lock files (which AFAIK is used for detecting dependencies with CVEs and raising PRs to update them?).

Finally, there is also a notion of workspaces that is, from all I know, similar to Yarn or Cargo. I don't know how much work it would be to support that in Renovate, but that can probably be handled later, especially if this is subject to change.

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

I've tested the changes over https://github.com/mkniewallner/showcase-uv-renovate.

This shows:

• an update of a dev dependency in [tool.uv.dev-dependencies] (Update dependency mypy to v1.11.1 mkniewallner/showcase-uv-renovate#4)
• an update of a regular dependency in [project.dependencies] (Update dependency pydantic to v2.8.2 mkniewallner/showcase-uv-renovate#5)
• an update of an optional dependency in [project.optional-dependencies] (Update dependency click to v8 mkniewallner/showcase-uv-renovate#8)
• a refresh of the lock file during lock file maintenance (Lock file maintenance mkniewallner/showcase-uv-renovate#12)

[mkniewallner]

Just a note that I intentionally only linked the issue instead of using "Closes" in the PR description because the PR only adds support for the universal locking strategy, not the pip-tools one. I don't mind closing the original issue though but we should probably create another one to track support for pip-tools locking style in that case.

[zanieb]

Hi! Is there an example somewhere of what's required to configure Dependenbot to work with the various forms of uv outputs? I'd love to add a guide to our official documentation.

Also, as a note in response to the summary comment, we also support universal locking in requirements.txt files with the uv pip compile --universal flag. Is that supported here?

[mkniewallner]

Also, as a note in response to the summary comment, we also support universal locking in requirements.txt files with the uv pip compile --universal flag. Is that supported here?

Not yet, this PR only implements universal locking, but there was some discussion to support uv pip compile as well in the linked issue. Since it was closed by this PR, we should probably create a new one specifically for uv pip compile support.

Hi! Is there an example somewhere if what's required to configure Dependenbot to work with the various forms of uv outputs? I'd love to add a guide to our official documentation.

You mean Renovate, not Dependabot, right? 😄 Since Renovate will look for an uv.lock file to determine that uv is used, it should not require any specific configuration for users already using Renovate. But we might mention in uv's documentation that Renovate is supported (but only support universal locking, and not uv pip compile).

[renovate-release]

🎉 This issue has been resolved in version 38.41.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 38.41.0

Your semantic-release bot 📦🚀

[zanieb]

Not yet, this PR only implements universal locking, but there was some discussion to support uv pip compile as well in the linked issue. Since it was closed by this PR, we should probably create a new one specifically for uv pip compile support.

Thanks for clarifying. That sounds good to me.

You mean Renovate, not Dependabot, right? 😄 Since Renovate will look for an uv.lock file to determine that uv is used, it should not require any specific configuration for users already using Renovate. But we might mention in uv's documentation that Renovate is supported (but only support universal locking, and not uv pip compile).

Sorry! Yes haha, lost in my pile of notifications. That's great to know — I'll give it a try so I can write a quick guide. Thanks again!

[mkniewallner]

If you need an example, there's https://github.com/mkniewallner/showcase-uv-renovate, and if you need more details, happy to help, we can discuss about that in Astral's Discord (same username as in GitHub) in order to not spam maintainers here 🙂