dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

uv ecosystem support for versioning-strategy

Open jlucas91 opened this issue 8 months ago • 3 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Feature description

As part of the ongoing rollout of uv support in dependabot, I would like to request the addition of support for versioning-strategy. The default behavior of dependabot is, IMHO, non-ideal. Bumping a dependency without updating the minimum bound could result in an unexpected downgrade of a package later, which may no longer be compatible. The increase versioning-strategy has been immensely helpful during our usage of poetry and, having migrated to uv, we'd deeply appreciate support for the behavior in the new ecosystem.

jlucas91 avatar Apr 28 '25 18:04 jlucas91

I think this is somewhat similar to https://github.com/dependabot/dependabot-core/issues/12788

phillipuniverse avatar Aug 07 '25 17:08 phillipuniverse

@gmyrianthous versioning-strategy is supported in uv. I'll make sure our docs reflect that

Originally posted by @robaiken in #12609

I think this is just pending a docs update.

astrojuanlu avatar Dec 06 '25 09:12 astrojuanlu

For what it's worth, I ended up writing a custom tool for bumping versions that can work around these Dependabot peculiarities (and similar Renovate problems). The ganzua tool can be installed from PyPI, but it is a pure command-line tool, not a GH Action.

You can create your own GH Action workflow that runs after Dependabot creates a PR:

  1. uvx ganzua==0.3.0 constraints bump to update the constraints in your pyproject.toml to be at least the locked version (corresponds to versioning-stategy: increase). docs
  2. uv lock to ensure that the lockfile is in sync with the new constraints, shouldn't change any dependencies
  3. uvx ganzua==0.3.0 diff <(git show ${{ github.base_ref }}:uv.lock) uv.lock --format=markdown to print out a Markdown table of the actual dependency changes (not just the changes that Dependabot intended to make, compare issues like https://github.com/dependabot/dependabot-core/issues/12012). May require a git fetch ${{ github.base_ref }} first, so that git show can retrieve the old lockfile state. docs
  4. commit and push the pyproject.toml/uv.lock changes to the PR

I've been using this kind of assistance for various non-public projects using uv and Poetry. Not quite as good as native support, but vastly preferable to the unexpected changes, conflicts, or downgrades that Dependabot sometimes produces.

latk avatar Dec 06 '25 12:12 latk