Add dependabot support

[mjclarke94]

I'm not quite sure on whether this is a rye or a uv issue, but it would be broadly useful to have dependabot understand rye/uv backed projects as a target for dependabot updates. The current known targets are pip and poetry (which you leave as pip, they just have support for a poetry-style pyproject file).

Whether there is some way of tricking dependabot using the pip compatibility layer, or if it's better to have bespoke handlers I'm not sure!

[zanieb]

We don't have a lockfile standard here at uv so I think that the pip dependabot backend should just work? I'm not sure there's more for us to do at this time. This seems more relevant for rye.

[mjclarke94]

Fair enough! As a secondary point, it might be useful to work with the dependabot maintainers to allow them to use uv for dependency resolution. We have some repositories which dependabot times out trying to solve, and uv solves pretty much instantaneously.

Given they explicitly support poetry (including generating a lock file), there's definitely precedent for it, and the goal of pip compatibility means that this could just be a straight swap in some repositories.

[notatallshaw]

We have some repositories which dependabot times out trying to solve, and uv solves pretty much instantaneously.

Do you have a concrete example?

Not uv related, but I have a significant improvement to Pip's resolution for complex backtracking cases (https://github.com/notatallshaw/pip/tree/prefer-conflicting-causes), and it would be good to know as many real world cases it solves or not.

[avilaton]

I tried spending a little time on this today and got some feedback from dependabot's CI here https://github.com/dependabot/dependabot-core/actions/runs/9581241755/job/26417616046

One error appears to be easy to fix, there is a check to control that there is an error trying to install a dependency that should fail.

The other I have to look into but here is the message we get from uv when dependabot tries to use it as a direct replacement for pip-compile

"error: invalid value 'pyyaml==6.0.1' for '--upgrade-package <UPGRADE_PACKAGE>': Not a valid package or extra name: \"pyyaml==6.0.1\". Names must start and end with a letter or digit and may only contain -, _, ., and alphanumeric characters.\n\nFor more information, try '--help'."

[avilaton]

Made a bit more progress and found that there is an existing issue here to fix what I encountered above #1964, writing it down for future generations.

[avilaton]

The above issue is solved, one step closer! We are now blocked with a tiny header difference issue #5031 which is already merged and will be out with next release, thanks @skshetry .

I've mentioned it in another issue but I'm holding from the autogenerated by uv string in the header to swap pip-compile for uv pip compile for the lack of any better idea and since the header still receives updates, I'd like for this to be taken into account.

[skshetry]

Another alternative could to be parse the compile_command. That is what renovatebot does.

[albertferras-vrf]

Is there any update on this or an estimate on when uv will support dependabot? I can see the issues you mentioned @avilaton are resolved.

[avilaton]

Is there any update on this or an estimate on when uv will support dependabot? I can see the issues you mentioned @avilaton are resolved.

I think the uv side of it is done, but need help adding more test coverage on the dependabot PR I submitted and haven't had time to do it. If you have time please have a look at it, all help is welcome!

[danieleades]

Maybe I'm reading it wrong but this issue seems to have evolved a little after it was originally created.
I'm blocked from adopting UV until dependably supports bumping dev dependencies. Is this supported? Is support coming?

[zanieb]

See #6236 — basically it's not supported yet. I think they're working on it still. Renovate supports this.

[jonjanego]

👋 from the GitHub Dependabot team. There's a PR in dependabot-core that aims to help support uv. @zanieb in case you didn't notice the tag there, i'm pinging you here to see if you could take a look :)

Thanks!