Skip to content

Pin Python requirements, dependency cooldowns#2989

Open
sethmlarson wants to merge 1 commit intopython:mainfrom
sethmlarson:pin-python-requirements
Open

Pin Python requirements, dependency cooldowns#2989
sethmlarson wants to merge 1 commit intopython:mainfrom
sethmlarson:pin-python-requirements

Conversation

@sethmlarson
Copy link
Copy Markdown
Contributor

@sethmlarson sethmlarson commented Apr 23, 2026

Related to #2988. We also have many outstanding Dependabot PRs, so maybe even "weekly" is too often. Security updates will always get prioritized, so we don't have to worry too much about this time span being long.

I deleted uv.lock because it wasn't being used at all for deployment and appears to have been added accidentally? It was added in a seemingly unrelated README commit.

cc @JacobCoffee

@hugovk
Copy link
Copy Markdown
Member

hugovk commented Apr 24, 2026

I deleted uv.lock because it wasn't being used at all for deployment and appears to have been added accidentally? It was added in a seemingly unrelated README commit.

Add it to .gitignore?


Looks like this weekend's pip release will add experimental support for installing from pylock.toml! pypa/pip#13876

Not necessarily suggesting waiting for that, there may be some edges that need polish, and pip-compile is a very good way to lock right now.

@JacobCoffee
Copy link
Copy Markdown
Member

We use the uv.lock exclusively now (all of the old-style requirements.txt files were removed for this reason). used in makefile targets for docs, etc.

what we could do is migrate dockerfiles over to uv sync --frozen

Copy link
Copy Markdown
Member

@JacobCoffee JacobCoffee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dependabot changes +1, the rest needs undone

@sethmlarson
Copy link
Copy Markdown
Contributor Author

@JacobCoffee Gotcha, I didn't realize it was used because it wasn't used in the Dockerfiles. I didn't look in the Makefile. I'll update this PR to use uv sync instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants