Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dependabot support #2512

Open
mjclarke94 opened this issue Mar 18, 2024 · 12 comments
Open

Add dependabot support #2512

mjclarke94 opened this issue Mar 18, 2024 · 12 comments
Labels
integration Integration into another tool wish Not on the immediate roadmap

Comments

@mjclarke94
Copy link

I'm not quite sure on whether this is a rye or a uv issue, but it would be broadly useful to have dependabot understand rye/uv backed projects as a target for dependabot updates. The current known targets are pip and poetry (which you leave as pip, they just have support for a poetry-style pyproject file).

Whether there is some way of tricking dependabot using the pip compatibility layer, or if it's better to have bespoke handlers I'm not sure!

@zanieb
Copy link
Member

zanieb commented Mar 18, 2024

We don't have a lockfile standard here at uv so I think that the pip dependabot backend should just work? I'm not sure there's more for us to do at this time. This seems more relevant for rye.

@mjclarke94
Copy link
Author

Fair enough! As a secondary point, it might be useful to work with the dependabot maintainers to allow them to use uv for dependency resolution. We have some repositories which dependabot times out trying to solve, and uv solves pretty much instantaneously.

Given they explicitly support poetry (including generating a lock file), there's definitely precedent for it, and the goal of pip compatibility means that this could just be a straight swap in some repositories.

@zanieb zanieb added wish Not on the immediate roadmap integration Integration into another tool labels Mar 21, 2024
@notatallshaw
Copy link
Contributor

We have some repositories which dependabot times out trying to solve, and uv solves pretty much instantaneously.

Do you have a concrete example?

Not uv related, but I have a significant improvement to Pip's resolution for complex backtracking cases (https://github.com/notatallshaw/pip/tree/prefer-conflicting-causes), and it would be good to know as many real world cases it solves or not.

@avilaton
Copy link

I tried spending a little time on this today and got some feedback from dependabot's CI here https://github.com/dependabot/dependabot-core/actions/runs/9581241755/job/26417616046

One error appears to be easy to fix, there is a check to control that there is an error trying to install a dependency that should fail.

The other I have to look into but here is the message we get from uv when dependabot tries to use it as a direct replacement for pip-compile

"error: invalid value 'pyyaml==6.0.1' for '--upgrade-package <UPGRADE_PACKAGE>': Not a valid package or extra name: \"pyyaml==6.0.1\". Names must start and end with a letter or digit and may only contain -, _, ., and alphanumeric characters.\n\nFor more information, try '--help'."

@avilaton
Copy link

avilaton commented Jul 3, 2024

Made a bit more progress and found that there is an existing issue here to fix what I encountered above #1964, writing it down for future generations.

@avilaton
Copy link

The above issue is solved, one step closer! We are now blocked with a tiny header difference issue #5031 which is already merged and will be out with next release, thanks @skshetry .

I've mentioned it in another issue but I'm holding from the autogenerated by uv string in the header to swap pip-compile for uv pip compile for the lack of any better idea and since the header still receives updates, I'd like for this to be taken into account.

@skshetry
Copy link
Contributor

Another alternative could to be parse the compile_command. That is what renovatebot does.

kdeldycke added a commit to kdeldycke/workflows that referenced this issue Jul 16, 2024
Dependabot does not support uv yet: astral-sh/uv#2512
@albertferras-vrf
Copy link

Is there any update on this or an estimate on when uv will support dependabot? I can see the issues you mentioned @avilaton are resolved.

@avilaton
Copy link

Is there any update on this or an estimate on when uv will support dependabot? I can see the issues you mentioned @avilaton are resolved.

I think the uv side of it is done, but need help adding more test coverage on the dependabot PR I submitted and haven't had time to do it. If you have time please have a look at it, all help is welcome!

@danieleades
Copy link
Contributor

Maybe I'm reading it wrong but this issue seems to have evolved a little after it was originally created.
I'm blocked from adopting UV until dependably supports bumping dev dependencies. Is this supported? Is support coming?

@zanieb
Copy link
Member

zanieb commented Aug 21, 2024

See #6236 — basically it's not supported yet. I think they're working on it still. Renovate supports this.

@jonjanego
Copy link

👋 from the GitHub Dependabot team. There's a PR in dependabot-core that aims to help support uv. @zanieb in case you didn't notice the tag there, i'm pinging you here to see if you could take a look :)

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integration Integration into another tool wish Not on the immediate roadmap
Projects
None yet
Development

No branches or pull requests

8 participants