Warn when missing minimal bounds when using tool.uv.sources
#3452
Conversation
konstin
force-pushed
the
konsti/ensure-bound
branch
from
f6e7831
to
fdd8e3b
Compare
|
I think I have a strong preference for this being a warning? Maybe it'd be configurable in the future.. i.e. A warning seems less likely to block adoption. |
When using `tool.uv.sources`, we warn that requirements have a bound, i.e. at least a lower version constraint. When using a library, the symbols you import were introduced in different versions, creating an implicit lower bound. This forces to make that bound explicit. This is crucial to prevent backtracking resolvers from selecting an ancient versions that is not compatible (or worse, doesn't build), and a performance optimization on top. This feature is gated to `tool.uv.sources` (as it should have been for #3263/#3443) to not unnecessarily break legacy workflows. It is also helpful specifically when using a `tool.uv.sources` section that contains constraints that are not published to pypi, e.g. for workspace dependencies. We can adjust those later to e.g. not constrain workspace dependencies with `publish = false`, but i think it's the right setting to start with.
konstin
force-pushed
the
konsti/ensure-bound
branch
from
fdd8e3b
to
a5ca909
Compare
konstin
changed the title
tool.uv.sourcestool.uv.sources
|
This is a correctness check (no lower bound is almost certainly incorrect), you should not be able to silence correctness checks; the correct way to get rid of the warning is to add the lower bound your project has, either implicitly or by policy. |
|
I'm not totally convinced that I want this, but I guess it's fine for now if it's limited to |
| @@ -494,7 +494,7 @@ pub(crate) fn lower_requirement( | |||
| Source::Registry { index } => match requirement.version_or_url { | |||
| None => { | |||
| warn_user_once!( | |||
| "Missing version constraint (e.g. a lower bound) for {}", | |||
| "Missing version constraint (e.g. a lower bound) for `{}`", | |||
There was a problem hiding this comment.
Please change "e.g. a lower bound" to "e.g., lower bound".
|
Is there a way to add lower bounds automatically for installed dependencies that doesn't have them? Not sure what exactly triggered the warning, update to 0.3.1 or (I guess more likely) adding a dependency from GitHub. |
|
@denkasyanov Can you describe steps to reproduce your problem and the exact error you're seeing? |
|
Sorry, should have added more context from the beginning. I updated from uv 0.3.0 to 0.3.1 AND replaced the uv remove spyne
uv add git+https://github.com/arskom/spyne@f105ec2f41495485fef1211fe73394231b3f76e5After that I tried to run My dependencies at the moment: [project]
dependncies = [
"celery",
"django",
]This was expected, so no error (not even a real problem) here. But since I had a ton of dependencies, I thought, maybe there is a way to "half-lock" them in the [project] table. So that I could turn the example above into something like: [project]
dependncies = [
"celery>=5.4.0",
"django>=5.1",
]for all regular and dev dependencies. |
When using
tool.uv.sources, we warn that requirements have a bound, i.e. at least a lower version constraint.When using a library, the symbols you import were introduced in different versions, creating an implicit lower bound. This warning makes this explicit. This is crucial to prevent backtracking resolvers from selecting an ancient versions that is not compatible (or worse, doesn't build), and a performance optimization on top.
This feature is gated to
tool.uv.sources(as it should have been to begin with for #3263/#3443) to not unnecessarily break legacy workflows. It is also helpful specifically when using atool.uv.sourcessection that contains constraints that are not published to pypi, e.g. for workspace dependencies. We can adjust those later to e.g. not constrain workspace dependencies withpublish = false, but i think it's the right setting to start with.