uv
uv copied to clipboard
astral-sh
`uv pip compile` adds setuptools (and pip) to requirements.txt
pip-compile considers dependencies on setuptools (and pip) unsafe and mentions this at the end of the generated file:
# The following packages are considered to be unsafe in a requirements file:
# pip
# setuptools
or
# The following packages are considered to be unsafe in a requirements file:
# setuptools
When using uv pip compile, this is not the case and I get pip added to the requirements.txt (the pip dep is coming from pip-tools and setuptools from packages like babel, pycountry and pip-tools). But both are packages that you generally never want in a requirements.txt (except maybe in VERY specific circumstances - and in those case you probably want to vendor the versions you require instead of having them as package dependencies).
FWIW, --allow-unsafe is becoming the default in the next major release of pip-compile: https://pip-tools.readthedocs.io/en/stable/#deprecations
In the next major release, the --allow-unsafe behavior will be enabled by default (https://github.com/jazzband/pip-tools/issues/989). Use --no-allow-unsafe to keep the old behavior. It is recommended to pass --allow-unsafe now to adapt to the upcoming change.
Thanks for the additional context. If pip-compile is moving towards just including these by default perhaps we should continue to do so? It's more safe for us since we don't rely on these packages.
(We do already "include" these by default, unless I'm misunderstanding your comment.)
In my opinion, uv has the right default behaviour, and soon pip-compile will have the right default behaviour too. If I were uv, I would implement https://github.com/astral-sh/uv/issues/1415 to let people do what they need to, and not change this. (Especially since if you are using uv, I think you have less of a need to mark pip and setuptools as unsafe)
