Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

uv pip autoupdate? #12322

Open
gtkacz opened this issue Mar 19, 2025 · 8 comments
Open

uv pip autoupdate? #12322

gtkacz opened this issue Mar 19, 2025 · 8 comments
Labels
question Asking for clarification or support

Comments

@gtkacz
Copy link

gtkacz commented Mar 19, 2025

Question

Is there a way to run a command through uv to "autoupdate" (bump to the latest version conforming to the constraints, like what dependabot does) in a pip environment?

Platform

Linux 5.15.167.4-microsoft-standard-WSL2 x86_64 GNU/Linux

Version

uv 0.6.8 (c1ef482 2025-03-18)
@gtkacz gtkacz added the question Asking for clarification or support label Mar 19, 2025
@FishAlchemist
Copy link
Contributor

I believe this request is associated with this issue

@notatallshaw
Copy link
Collaborator

notatallshaw commented Mar 20, 2025
edited
Loading

FWIW, if your using a pip workflow, this is the purpose of the uv pip compile:

  1. Define your unpinned requirements in a requirements.in
  2. Compile them to a requirements.txt, e.g. uv pip compile --upgrade requirements.in -o requirements.txt
  3. Sync your environment with the upgraded requirements uv pip sync requirements.txt

You can write a small script to turn this into a single command, with various options you may prefer. I beleive uv pip compile also supports implicitly extracting the requirements out of a pyproject.toml.

@gtkacz
Copy link
Author

gtkacz commented Mar 24, 2025

@notatallshaw thing is, I need some of the dependencies pinned due to vulnerabilities detected by Snyk

@notatallshaw
Copy link
Collaborator

notatallshaw commented Mar 24, 2025
edited
Loading

@notatallshaw thing is, I need some of the dependencies pinned due to vulnerabilities detected by Snyk

In the workflow I describe above all dependencies and transitive dependencies are pinned in the requirements.txt, if you need to constrain what versions a particular package can be pinned to then you define those constraints in the requirements.in.

@konstin
Copy link
Member

konstin commented Mar 28, 2025

@notatallshaw thing is, I need some of the dependencies pinned due to vulnerabilities detected by Snyk

How do you currently define what you install in the venv, and how does snyk interact with that?

@gtkacz
Copy link
Author

gtkacz commented Mar 28, 2025

@konstin Snyk itself will create PRs pinning versions to avoid vulnerabilites, e.g.: https://github.com/gtkacz/temporal_adjusters_py/pull/34/files

@konstin
Copy link
Member

konstin commented Mar 28, 2025

You can use uv pip install --upgrade requirements_dev.txt, this will update all direct dependencies listed and their transitive dependencies, too.

@gtkacz
Copy link
Author

gtkacz commented Mar 28, 2025

@konstin that will do it only on the env, no? I was looking for a command that would update the requirements file itself

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Asking for clarification or support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@konstin @notatallshaw @FishAlchemist @gtkacz