Support python uv as pip-compile compatible replacement

[avilaton]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

We are trying to draft support for using https://github.com/astral-sh/uv as a replacement for pip-tools in dependabot.

The reason for this is that uv is much faster and many projects have already started switching to it. UV is a pip-tools compatible replacement written in rust.

If we are lucky, it should be as easy as changing pip-compile --stuff for uv pip compile --stuff and adding uv as one of the python helpers requirements.

[edgarrmondragon]

I think #10040 is ready for a review by the maintainers 🙂

[mistercrunch]

Linking my comment here astral-sh/uv#5487 (comment) around supporting multi-synchronized-outputs, which I think is super relevant to the uv/dependabot integration.

[EdmundGoodman]

In the related issue #10478, I have just but the following comment on a work-around for getting fairly similar functionality to Dependabot in the meantime before this issue is resolved:

This has also blocked us, so +1 for prioritising this.

As a stopgap in the meantime, I've hacked together a small GitHub Actions workflow which provides fairly similar functionality to unblock our project whilst we wait. A small demo is available here https://github.com/EdmundGoodman/update-bot if it is helpful to anyone else.

It slightly differs from dependabot in that it makes a PR on a cron schedule if any dependency can be updated rather than whenever a security vulnerability is found, but is good enough for us for now. It differs from other workflows I've seen in this thread, as it PRs rather than just directly committing to main which could break things.

This might require a tiny bit of modification to work with uv pip compile, but the general idea is the same so thought I'd also mention it here in case it can help anyone.

[abdulapopoola]

Let's use #10478 to track this conversation. Closing this as a duplicate.

[alex]

It may look like a duplicate, but it's not.

uv has two "modes", one is its own one, which uses uv.lock and is tracked in #10478. This issue concerns using uv pip compile, which produces requirements.txt files which are identical in structure to what pip-compile produces.

[abdulapopoola]

thanks for the clarification @alex

We're currently planning towards our upcoming quarter and one potential item for our roadmap is supporting uv as a full-fledged standalone ecosystem (i.e. providing support for all uv modes). Having a single issue to consolidate all discussions makes it easier for us to factor into plannning.

[alex]

Given that, I suggest titling that issue accordingly, right now it indicates a scope that does not encompass what this issue is about.

I don't work on dependabot, so y'all will know better than me, but based on my experience in the Python ecosystem, I think it's highly likely to be the case that there's almost no overlap in the engineering beteween supporting uv for updating uv.lock and supporting it for uv pip compile.