Error on lockfiles with incoherent wheel versions #12235
Conversation
| })); | ||
| } | ||
| } | ||
| // We can't check the source dist version since it does not need to contain the version |
There was a problem hiding this comment.
We should always have at least one wheel enabling us to catch the inconsistency?
There was a problem hiding this comment.
Not necessarily, for example:
dependencies = [
"sniffio",
]
[tool.uv.sources]
sniffio = { path = "sniffio.tar.gz" }uv.lock:
[[package]]
name = "sniffio"
version = "1.3.1"
source = { path = "sniffio.tar.gz" }
sdist = { hash = "sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc" }In this case, it's not possible to determine from the lockfile alone whether there is an inconsistency.
There was a problem hiding this comment.
I've added another commit that catches all mismatches between locked source dist version and the built wheel versions at build time. This would enforce stricter guarantees than we require right now, CC @charliermarsh
There was a problem hiding this comment.
As an example:
[[package]]
name = "sniffio"
version = "2.3.4"
source = { url = "https://files.pythonhosted.org/packages/a2/87/a6771e1546d97e7e041b6ae58d80074f81b7d5121207425c964ddf5cfdbd/sniffio-1.3.1.tar.gz" }
sdist = { hash = "sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc" }With this last commit fails with:
× Failed to download and build `sniffio @
│ https://files.pythonhosted.org/packages/a2/87/a6771e1546d97e7e041b6ae58d80074f81b7d5121207425c964ddf5cfdbd/sniffio-1.3.1.tar.gz`
╰─▶ Package metadata version `1.3.1` does not match given version `2.3.4`
help: `sniffio` was included because `foo` (v0.1.0) depends on `sniffio`
The potential clash could be with git dependencies that use a version-from-git integration.
There was a problem hiding this comment.
Moved this to a separate PR: #12237
| Caused by: Locked package and file versions are inconsistent for `iniconfig` | ||
| "); | ||
|
|
||
| // Without `--locked`, we could fail or recreate the lockfile, currently, we fail. |
There was a problem hiding this comment.
Would a user find this surprising? I think I'd assume uv will create a correct lockfile when running uv lock. And it might not be clear to a user what action they should take next if they see this error.
I guess it partially depends on what "If a lockfile is present, its contents will be used as preferences for the resolution" from the docs for uv lock means. Does that mean we try to use those preferences, but override them if necessary?
There was a problem hiding this comment.
Currently, we fail on all kinds of parsing errors with lockfile. For example, an empty uv.lock fails:
$ uv lock
error: Failed to parse `uv.lock`
Caused by: TOML parse error at line 1, column 1
|
1 |
| ^
missing field `version`
As does a lockfile where I removed the source line:
$ uv lock
error: Failed to parse `uv.lock`
Caused by: TOML parse error at line 16, column 1
|
16 | [[package]]
| ^^^^^^^^^^^
missing field `source`
We can try to be better about recovering from a broken lockfile, but that's outside of the scope of the PR (uv would never write such a lockfile, and with this change, uv will refuse to sync a broken dependabot PR, failing CI). For comparison, in cases where the lockfile is not invalid but doesn't fully match in a non-version anymore, e.g., the environments changed, we for example only reuse the versions as preference but not the full lockfile (ValidatedLock enumerates the cases).
Reject lockfiles where the package version and the wheel versions are incoherent. This implicitly checks that all wheel files have the same version. It does not check for the source dist version, since a source dist may not contain a version in the filename and attempting to deserialize source dist filenames we may not need is a performance overhead for something that's already slow in `uv run`. Fixes #12164
konstin
force-pushed
the
konsti/locked-version-coherence
branch
from
36e4181 to
eb6dcc0
Compare
|
Does this mean that Dependabot updates will lead to hard uv errors? (I understand that, at least the linked issue, what they're doing today may not be sound.) |
|
I think so, at least making PRs with this logic without updating source dist and wheels accordingly will lead to broken lockfiles: https://github.com/dependabot/dependabot-core/blob/1cd6fc59d7dae25d46255550528dd056c97c46d8/uv/lib/dependabot/uv/file_updater/lock_file_updater.rb#L111-L120. We currently accept those lockfile changes, but they don't do semantically what the PR diff would suggest (they don't actually upgrade the version). Other commenters at dependabot/dependabot-core#10478 have noted that dependabot can produce lockfiles broken under |
|
As a user and developer I want uv to explode if dependabot maims my lockfile so I know about it and so I can raise issues with dependabot. |
Yep that's my lockfile, and they certainly do currently break them (tysm for |
| if version != &wheel.filename.version { | ||
| return Err(LockError::from(LockErrorKind::InconsistentVersions { | ||
| name: self.id.name, | ||
| })); |
There was a problem hiding this comment.
Can we show the versions in the error here? Like "packaged version {} does not match {} from wheel {}"?
zanieb
changed the title
|
This seems to have caused some problems with the flash-attn wheels. Now causes Not sure if there is a better way to configure usage of these wheels. |
|
Ah thanks, we can fix that. |
`uv 0.6.6` adds a hard error when the version of the package in `uv.lock` does not match the one declared in the editable wheel: astral-sh/uv#12235. `release-please` doesn't update the lock files automatically, so release PRs needed a manual lock update. This PR adds the lockfile as an `extra-file`, to avoid this manual step. Note that the _jsonpath_ in the config is not technically correct, as release-please's json array filters don't quite work for toml files. See googleapis/release-please#2455, which includes this hacky workaround.
Reject lockfiles where the package version and the wheel versions are incoherent. This implicitly checks that all wheel files have the same version.
It does not check for the source dist version, since a source dist may not contain a version in the filename and attempting to deserialize source dist filenames we may not need is a performance overhead for something that's already slow in
uv run.Fixes #12164
See also #12254