From c2f13f9468840aa5638b0beded2e80912a3708d4 Mon Sep 17 00:00:00 2001 From: Mathieu Kniewallner Date: Wed, 9 Oct 2024 18:26:07 +0200 Subject: [PATCH] docs(dependency-bots): mention PEP 723 + some improvements (#7819) ## Summary Renovate recently gained support for updating dependencies defined using PEP 723 (https://github.com/renovatebot/renovate/pull/31266). Since uv supports this format, I thought it could be nice to mention support for it in the integrations documentation as well. I took the occasion to make the page a bit more structured as well. ## Test Plan Ran Renovate on https://github.com/mkniewallner/renovate-pep723, which created https://github.com/mkniewallner/renovate-pep723/pull/2 that updates a dependency defined using PEP 723. But I'll re-run some tests again once the changes are released on Renovate cloud GitHub app just in case. --- docs/guides/integration/dependency-bots.md | 45 +++++++++++++++++++--- 1 file changed, 39 insertions(+), 6 deletions(-) diff --git a/docs/guides/integration/dependency-bots.md b/docs/guides/integration/dependency-bots.md index bef4d60c6d7d..3450e761aea2 100644 --- a/docs/guides/integration/dependency-bots.md +++ b/docs/guides/integration/dependency-bots.md @@ -1,9 +1,22 @@ # Dependency bots +It is considered best practice to regularly update dependencies, to avoid being exposed to +vulnerabilities, limit incompatibilities between dependencies, and avoid complex upgrades when +upgrading from a too old version. A variety of tools can help staying up-to-date by creating +automated pull requests. Several of them support uv, or have work underway to support it. + ## Renovate uv is supported by [Renovate](https://github.com/renovatebot/renovate). +!!! note + + Updating `uv pip compile` outputs such as `requirements.txt` is not yet supported. Progress can + be tracked + at [renovatebot/renovate#30909](https://github.com/renovatebot/renovate/issues/30909). + +### `uv.lock` output + Renovate uses the presence of a `uv.lock` file to determine that uv is used for managing dependencies, and will suggest upgrades to [project dependencies](../../concepts/dependencies.md#project-dependencies), @@ -16,7 +29,7 @@ dependencies) by enabling the [`lockFileMaintenance`](https://docs.renovatebot.com/configuration-options/#lockfilemaintenance) option: -```json5 title="renovate.json5" +```jsx title="renovate.json5" { $schema: "https://docs.renovatebot.com/renovate-schema.json", lockFileMaintenance: { @@ -25,12 +38,32 @@ option: } ``` -!!! note +### Inline script metadata + +Renovate supports updating dependencies defined using +[script inline metadata](../scripts.md/#declaring-script-dependencies). - `uv pip compile` outputs such as `requirements.txt` are not yet supported by Renovate. - Progress can be tracked at [renovatebot/renovate#30909](https://github.com/renovatebot/renovate/issues/30909). +Since it cannot automatically detect which Python files use script inline metadata, their locations +need to be explicitly defined using +[`fileMatch`](https://docs.renovatebot.com/configuration-options/#filematch), like so: + +```jsx title="renovate.json5" +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + pep723: { + fileMatch: [ + "scripts/generate_docs\\.py", + "scripts/run_server\\.py", + ], + }, +} +``` ## Dependabot -Support for uv is not yet available. Progress can be tracked at -[dependabot/dependabot-core#10039](https://github.com/dependabot/dependabot-core/issues/10039). +Support for uv is not yet available. Progress can be tracked at: + +- [dependabot/dependabot-core#10478](https://github.com/dependabot/dependabot-core/issues/10478) for + `uv.lock` output +- [dependabot/dependabot-core#10039](https://github.com/dependabot/dependabot-core/issues/10039) for + `uv pip compile` outputs