Files
uv/docs/guides/integration/dependency-bots.md
T
Mathieu Kniewallner fa116eff05 Mention cooldown and tweak inline script metadata in dependency bots documentation (#18230)
## Summary

Update [Dependency
bots](https://docs.astral.sh/uv/guides/integration/dependency-bots/)
documentation to mention how to set up dependency cooldown on
Renovate/Dependabot, to match what could be set in `exclude-newer`.

Also:
- updating configuration example for inline script metadata, as per
[this
documentation](https://docs.renovatebot.com/configuration-options/#managerfilepatterns),
`fileMatch` is deprecated, and `managerFilePatterns` should be used
instead -- the option supports both globs and regexes, so I've updated
the examples to highlight that globs can be used
- adding a note about Renovate not supporting lock files for inline
script metadata yet

## Test Plan

Rendered the documentation locally.

For all Renovate changes, tested locally using:
```shell
pnpx renovate --platform local
```

For Dependabot, I did not test it as I don't use it, so I've followed
the
[documentation](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-).
2026-03-02 09:18:39 -06:00

134 lines
4.1 KiB
Markdown

---
title: Using uv with dependency bots
description: A guide to using uv with dependency bots like Renovate and Dependabot.
---
# Dependency bots
It is considered best practice to regularly update dependencies, to avoid being exposed to
vulnerabilities, limit incompatibilities between dependencies, and avoid complex upgrades when
upgrading from a too old version. A variety of tools can help staying up-to-date by creating
automated pull requests. Several of them support uv, or have work underway to support it.
## Renovate
uv is supported by [Renovate](https://github.com/renovatebot/renovate).
### `uv.lock` output
Renovate uses the presence of a `uv.lock` file to determine that uv is used for managing
dependencies, and will suggest upgrades to
[project dependencies](../../concepts/projects/dependencies.md#project-dependencies),
[optional dependencies](../../concepts/projects/dependencies.md#optional-dependencies) and
[development dependencies](../../concepts/projects/dependencies.md#development-dependencies).
Renovate will update both the `pyproject.toml` and `uv.lock` files.
The lockfile can also be refreshed on a regular basis (for instance to update transitive
dependencies) by enabling the
[`lockFileMaintenance`](https://docs.renovatebot.com/configuration-options/#lockfilemaintenance)
option:
```jsx title="renovate.json5"
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
lockFileMaintenance: {
enabled: true,
},
}
```
### Inline script metadata
Renovate supports updating dependencies defined using
[inline script metadata](../scripts.md/#declaring-script-dependencies).
Since it cannot automatically detect which Python files use inline script metadata, their locations
need to be explicitly defined using
[`managerFilePatterns`](https://docs.renovatebot.com/configuration-options/#managerfilepatterns),
like so:
```jsx title="renovate.json5"
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
pep723: {
managerFilePatterns: [
"docs/build.py",
"scripts/**/*.py",
],
},
}
```
!!! note
Renovate does not yet support updating the lock file associated to the
script (https://github.com/renovatebot/renovate/issues/33591), so if you rely on this feature
for a script, the lock file will need to be manually updated.
### Dependency cooldown
If you use [`exclude-newer`](../../reference/settings.md#exclude-newer) option, it is recommended to
also set the equivalent
[`minimumReleaseAge`](https://docs.renovatebot.com/configuration-options/#minimumreleaseage) option
in Renovate, to avoid ending up with pull requests where uv would not be able to lock the
dependencies.
For instance, if you've set `exclude-newer` to `1 week`, you can set:
```jsx title="renovate.json5"
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
// Enable only for PyPI.
packageRules: [
{
matchDatasources: ["pypi"],
minimumReleaseAge: "1 week",
},
],
// Or enable for every ecosystem.
minimumReleaseAge: "1 week",
}
```
## Dependabot
Dependabot has announced support for uv, but there are some use cases that are not yet working. See
[astral-sh/uv#2512](https://github.com/astral-sh/uv/issues/2512) for updates.
Dependabot supports updating `uv.lock` files. To enable it, add the uv `package-ecosystem` to your
`updates` list in the `dependabot.yml`:
```yaml title="dependabot.yml"
version: 2
updates:
- package-ecosystem: "uv"
directory: "/"
schedule:
interval: "weekly"
```
### Dependency cooldown
If you use [`exclude-newer`](../../reference/settings.md#exclude-newer) option, it is recommended to
also set the equivalent
[`cooldown`](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-)
option in Dependabot, to avoid ending up with pull requests where uv would not be able to lock the
dependencies.
For instance, if you've set `exclude-newer` to `1 week`, you can set:
```yaml title="dependabot.yml"
version: 2
updates:
- package-ecosystem: "uv"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
```