Dependabot for uv projects?
Posted by NoCap738@reddit | Python | View on Reddit | 20 comments
Hello!
I'm looking to integrate a dependency bot into my uv project. uv's dependency-bots page mentions both Renovate and Dependabot. I'm leaning toward using Dependabot, as GitHub's integration with it is simple and obvious, but I see that Dependabot is not yet stable with uv.
My question to the community here: Are you using Dependabot for your uv projects? How has your experience with it been?
Intrepid-Stand-8540@reddit
I recommend Renovate Bot instead of Dependabot.
Dependabot only works for GitHub afaik, so if you ever want to change to another platform like GitLab or something, you might as well choose the one that works everywhere.
Renovate Bot is working great for my uv project.
Salty-Swim3630@reddit
"if you ever want to ...." the greatest reason to overcomplicate things in software development.
lady_berserker@reddit
We have dependabot setup on our github repo, using uv with a pyproject.toml and it works fine and covers what we need. I haven't tested Renovate bot though.
aj4ayushjain@reddit
Do we need to track .python-version files as well inorder for dependabot to work correctly? As mentioned in the open issue here https://github.com/dependabot/dependabot-core/issues/13858
Anru_Kitakaze@reddit
We use renovate in our company because we use our own infrastructure and gitlab. Not possible with dependabot as far as I know
I use it for go stack, and experience is great - a lot of config options and it's pretty stable. Can highly recommend
Can't say much about dependabot tho since I've never worked professionally in a public repo on GitHub. Always company's gitlab
JimDabell@reddit
Dependabot is practically abandoned, isn’t it? Look at how long it took them to finally fix this issue with
uv.lockfiles – not when it was closed, but when it was actually fixed!badkaseta@reddit
dependabot crashes or timeouts for most of my repositories. I created issues with bug reports and receieved zero response after months. Got tired of crashes and inexistent support and migrated to renovatebot
ImpactStrafe@reddit
Much prefer renovate over dependabot.
Many more configuration options. Can run on your own infra. Isn't limited to manager GitHub provides. And is just a much better experience.
NoCap738@reddit (OP)
What's the advantage of running on own infra? Security-wise or more about the limits
ImpactStrafe@reddit
Access to private repos/container registries. Authentication.
Overall limits.
Caching and other improvements that can be done in your own infra.
vacaaa@reddit
Dependabot can be a bit of a diva with project setups, but if your UV projects use pyproject.toml for dependency management, it should work smoothly; for added flexibility, consider pairing it with Renovate Bot, which supports multiple platforms and can save you some headaches later on.
chinapandaman@reddit
If your uv installs dependencies via pyproject.toml, dependabot should work fine with it. I have this exact setup for my project.
rzet@reddit
does it bump uv.lock on mainstream github?
our corpo instance is broken.
chinapandaman@reddit
For anyone interested.
You need both upper and lower bound for your dependencies.
And here is a PR created by dependabot: https://github.com/chinapandaman/PyPDFForm/pull/1422/changes
Note I have my upper bound rather loose because I'm building a library. If you are building an application/service, you should probably have it more strict.
shadowdance55@reddit
For libraries, it's better to keep your dependencies unbound on top. https://iscinumpy.dev/post/bound-version-constraints/
chinapandaman@reddit
That’s a negative for this specific library I’m building as I have had many past occasions where major version bump in my dependencies break a large set of my tests. This is largely the reason why I need upper bounds and have dependabot create PRs for dependency major version bump.
Vresa@reddit
I use dependabot professionally and personally, both with poetry and uv projects. Haven’t had any issues (that weren’t my obvious fault) in many years with either.
Always verify dependabot things, obviously, as you should with any dependency change PR - but anecdotally, I can’t think of a day-to-day issue that would have me caution against it.
reidhoch@reddit
I use it in my personal and work projects, works fine for me.
yishai87@reddit
I’ve been recently exploring this idea too so I’m interested to see what others are doing and how it is working for their projects!
totheendandbackagain@reddit
Great question. I'd love to know the answer too.