Skip to content

Dependency bots

It is considered best practice to regularly update dependencies, to avoid being exposed to vulnerabilities, limit incompatibilities between dependencies, and avoid complex upgrades when upgrading from a too old version. A variety of tools can help staying up-to-date by creating automated pull requests. Several of them support uv, or have work underway to support it.

Renovate

uv is supported by Renovate.

uv.lock output

Renovate uses the presence of a uv.lock file to determine that uv is used for managing dependencies, and will suggest upgrades to project dependencies, optional dependencies and development dependencies. Renovate will update both the pyproject.toml and uv.lock files.

The lockfile can also be refreshed on a regular basis (for instance to update transitive dependencies) by enabling the lockFileMaintenance option:

renovate.json5
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  lockFileMaintenance: {
    enabled: true,
  },
}

Inline script metadata

Renovate supports updating dependencies defined using inline script metadata.

Since it cannot automatically detect which Python files use inline script metadata, their locations need to be explicitly defined using managerFilePatterns, like so:

renovate.json5
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  pep723: {
    managerFilePatterns: [
      "docs/build.py",
      "scripts/**/*.py",
    ],
  },
}

Note

Renovate does not yet support updating the lock file associated to the script (https://github.com/renovatebot/renovate/issues/33591), so if you rely on this feature for a script, the lock file will need to be manually updated.

Dependency cooldown

If you use exclude-newer option, it is recommended to also set the equivalent minimumReleaseAge option in Renovate, to avoid ending up with pull requests where uv would not be able to lock the dependencies.

For instance, if you've set exclude-newer to 1 week, you can set:

renovate.json5
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",

  // Enable only for PyPI.
  packageRules: [
    {
      matchDatasources: ["pypi"],
      minimumReleaseAge: "1 week",
    },
  ],

  // Or enable for every ecosystem.
  minimumReleaseAge: "1 week",
}

Dependabot

Dependabot has announced support for uv, but there are some use cases that are not yet working. See astral-sh/uv#2512 for updates.

Dependabot supports updating uv.lock files. To enable it, add the uv package-ecosystem to your updates list in the dependabot.yml:

dependabot.yml
version: 2

updates:
  - package-ecosystem: "uv"
    directory: "/"
    schedule:
      interval: "weekly"

Dependency cooldown

If you use exclude-newer option, it is recommended to also set the equivalent cooldown option in Dependabot, to avoid ending up with pull requests where uv would not be able to lock the dependencies.

For instance, if you've set exclude-newer to 1 week, you can set:

dependabot.yml
version: 2

updates:
  - package-ecosystem: "uv"
    directory: "/"
    schedule:
      interval: "weekly"
    cooldown:
      default-days: 7