-
Notifications
You must be signed in to change notification settings - Fork 772
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependabot support #2512
Comments
We don't have a lockfile standard here at uv so I think that the |
Fair enough! As a secondary point, it might be useful to work with the dependabot maintainers to allow them to use uv for dependency resolution. We have some repositories which dependabot times out trying to solve, and uv solves pretty much instantaneously. Given they explicitly support poetry (including generating a lock file), there's definitely precedent for it, and the goal of pip compatibility means that this could just be a straight swap in some repositories. |
Do you have a concrete example? Not uv related, but I have a significant improvement to Pip's resolution for complex backtracking cases (https://github.com/notatallshaw/pip/tree/prefer-conflicting-causes), and it would be good to know as many real world cases it solves or not. |
I tried spending a little time on this today and got some feedback from dependabot's CI here https://github.com/dependabot/dependabot-core/actions/runs/9581241755/job/26417616046 One error appears to be easy to fix, there is a check to control that there is an error trying to install a dependency that should fail. The other I have to look into but here is the message we get from uv when dependabot tries to use it as a direct replacement for
|
Made a bit more progress and found that there is an existing issue here to fix what I encountered above #1964, writing it down for future generations. |
The above issue is solved, one step closer! We are now blocked with a tiny header difference issue #5031 which is already merged and will be out with next release, thanks @skshetry . I've mentioned it in another issue but I'm holding from the |
Another alternative could to be parse the compile_command. That is what renovatebot does. |
Dependabot does not support uv yet: astral-sh/uv#2512
Is there any update on this or an estimate on when uv will support dependabot? I can see the issues you mentioned @avilaton are resolved. |
I think the |
Maybe I'm reading it wrong but this issue seems to have evolved a little after it was originally created. |
See #6236 — basically it's not supported yet. I think they're working on it still. Renovate supports this. |
👋 from the GitHub Dependabot team. There's a PR in dependabot-core that aims to help support uv. @zanieb in case you didn't notice the tag there, i'm pinging you here to see if you could take a look :) Thanks! |
I'm not quite sure on whether this is a
rye
or auv
issue, but it would be broadly useful to have dependabot understand rye/uv backed projects as a target for dependabot updates. The current known targets arepip
andpoetry
(which you leave as pip, they just have support for a poetry-style pyproject file).Whether there is some way of tricking dependabot using the
pip
compatibility layer, or if it's better to have bespoke handlers I'm not sure!The text was updated successfully, but these errors were encountered: