-
Notifications
You must be signed in to change notification settings - Fork 986
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support uv compiled requirements files #10040
base: main
Are you sure you want to change the base?
Conversation
python/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb
Outdated
Show resolved
Hide resolved
python/lib/dependabot/python/file_updater/pip_compile_file_updater.rb
Outdated
Show resolved
Hide resolved
python/lib/dependabot/python/file_updater/pip_compile_file_updater.rb
Outdated
Show resolved
Hide resolved
python/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb
Outdated
Show resolved
Hide resolved
we at @Shiphero are looking forward to using this functionality as soon as it becomes available. Currently we use dependabot only as an alert to recompile manually as we have to manage everything via uv (and it generates slightly different results than pip-compile). |
python/spec/dependabot/python/file_updater/pip_compile_file_updater_spec.rb
Outdated
Show resolved
Hide resolved
python/spec/dependabot/python/file_updater/pip_compile_file_updater_spec.rb
Outdated
Show resolved
Hide resolved
python/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb
Outdated
Show resolved
Hide resolved
python/lib/dependabot/python/file_updater/pip_compile_file_updater.rb
Outdated
Show resolved
Hide resolved
python/lib/dependabot/python/update_checker/pip_compile_version_resolver.rb
Outdated
Show resolved
Hide resolved
915a9ec
to
58f992e
Compare
@edgarrmondragon what is missing to merge this? it is a very valuable feature. |
Co-authored-by: Edgar Ramírez Mondragón <16805946+edgarrmondragon@users.noreply.github.com>
Co-authored-by: skshetry <18718008+skshetry@users.noreply.github.com>
…ger uv pip compile test coverage
Co-authored-by: Edgar Ramírez Mondragón <16805946+edgarrmondragon@users.noreply.github.com>
@edgarrmondragon I think we are in a better position now |
Indeed. Would love to get some response here from the maintainers. Maybe we also need an update to https://github.com/dependabot/smoke-tests coupled with this? |
@robaiken @sachin-sandhu Any chance you could look at this one, please? |
I think we should also add a test for |
First of all - uv is awesome and I am 100% pro adding uv support in dependabot. @sachin-sandhu @jeffwidman @robaiken Please help channel the community's efforts |
Hi all, I'm one of the product managers at GitHub responsible for Dependabot. First off, thank you all for the great collaboration and discussion in here, and especially from @avilaton for taking the initiative to start this work and the discussion. We discussed this internally as a GitHub team and came to effectively the same conclusion as @Mogost in this comment: while I hope that this helps clarify what we think would be best for Dependabot, and sorry for the lack of attention. in the future please don't hesitate to ping me for any ecosystem / coverage related suggestions for Dependabot. |
Hey @jonjanego and @Mogost! Thanks for both your comments! Just wanted to chime in because I have a feeling from both your comments you might have misunderstood the pull request (or I might be the one misunderstanding the code changes) This pr doesn't replace I personally think that's a reasonable implementation and one that could be welcome into dependabot without breaking any existing functionality :) EDIT: Forgot to mention that this is most probably due to how the initial pull request comment was worded, so just wanted to explain a bit what the pr actually achieves |
|
||
options << "--no-annotate" unless requirements_file.content.include?("# via ") | ||
|
||
options << "--no-header" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line slightly confuses me, as wouldn't this remove the only marker that makes it possible to identify uv compiled locks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to specifically request uv instead of pip-tools when no header is present?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dependabot currently doesn't allow specifying what tooling to use for compiled dependencies to my knowledge, it just has been pip-compile
for pip resolver, always.
Maybe in the future, configuration could be added for it, but I don't think this is the case, so keeping the header is most probably something that is wanted. Otherwise, as the current code stands, I don't think it will even be able to pickup that it's a dependency compilation file (even for pip-compile
)
edit: The first time I read this I understood you were refering to
|
After your clarification, it makes more sense to me. What is really going on here is checking whether the file was generated with uv or with pip-tools. So it really makes sense. Also uv team discus dependabot support here astral-sh/uv#2512 This part of the code is crucial and I missed it the first time I looked at it |
This makes sense to me. As a minor note, we allow exporting the
Let me know if there are any specific questions here. |
Help me out here please, I think you are correct about the title of the PR being misleading. I think what I'm proposing is more like "Use uv for requirements.txt files if present in their header". Will that help? |
@avilaton I would personally use "Support uv compiled requirements files". Not mentioning replacing |
Also, would be cool if you could have a look at the review I made :) |
…ater.rb Co-authored-by: beagold <86345081+beagold@users.noreply.github.com>
python/lib/dependabot/python/file_updater/pip_compile_file_updater.rb
Outdated
Show resolved
Hide resolved
python/lib/dependabot/python/file_updater/pip_compile_file_updater.rb
Outdated
Show resolved
Hide resolved
…ater.rb Co-authored-by: beagold <86345081+beagold@users.noreply.github.com>
Hi everyone. Thanks for clarifying the intentions here and continuing to collaborate! When this PR gets into a state that you think is close to merge-able, please tag me and I'll work with our engineering team to get someone to take a look so we can get this over the line. Also, if someone contributing here could also open a corresponding PR to the Dependabot documentation to suggest docs changes to support this improvement, it would be greatly appreciated, as doing that would be another requirement before we could merge this in. Please link to that PR when it's ready. Thanks! |
What are you trying to accomplish?
Trying to draft support for using https://github.com/astral-sh/uv as a replacement for pip-tools in dependabot. The reason for this is that uv is much faster and many projects have already started switching to it. UV is a pip-tools compatible replacement written in rust.
This is a proposal for:
Anything you want to highlight for special attention from reviewers?
Even if
uv
isn't adopted right now, it might be the long term solutions for pip-compile slowness. We use it for generating requirements.txt and each time dependabot does it withpip-compile
we get a slightly different output which we later correct manually.How will you know you've accomplished your goal?
The change I introduced is fairly simple. First I look at the requirements file header to identify if uv was used to generate it. If it was, I change the command used from
pyenv exec pip-compile
topyenv exec uv pip compile
.Checklist