Files
uv/docs/guides/integration/dependency-bots.md
T
Mathieu Kniewallner fa116eff05 Mention cooldown and tweak inline script metadata in dependency bots documentation (#18230)
## Summary

Update [Dependency
bots](https://docs.astral.sh/uv/guides/integration/dependency-bots/)
documentation to mention how to set up dependency cooldown on
Renovate/Dependabot, to match what could be set in `exclude-newer`.

Also:
- updating configuration example for inline script metadata, as per
[this
documentation](https://docs.renovatebot.com/configuration-options/#managerfilepatterns),
`fileMatch` is deprecated, and `managerFilePatterns` should be used
instead -- the option supports both globs and regexes, so I've updated
the examples to highlight that globs can be used
- adding a note about Renovate not supporting lock files for inline
script metadata yet

## Test Plan

Rendered the documentation locally.

For all Renovate changes, tested locally using:
```shell
pnpx renovate --platform local
```

For Dependabot, I did not test it as I don't use it, so I've followed
the
[documentation](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-).
2026-03-02 09:18:39 -06:00

4.1 KiB

title, description
title description
Using uv with dependency bots A guide to using uv with dependency bots like Renovate and Dependabot.

Dependency bots

It is considered best practice to regularly update dependencies, to avoid being exposed to vulnerabilities, limit incompatibilities between dependencies, and avoid complex upgrades when upgrading from a too old version. A variety of tools can help staying up-to-date by creating automated pull requests. Several of them support uv, or have work underway to support it.

Renovate

uv is supported by Renovate.

uv.lock output

Renovate uses the presence of a uv.lock file to determine that uv is used for managing dependencies, and will suggest upgrades to project dependencies, optional dependencies and development dependencies. Renovate will update both the pyproject.toml and uv.lock files.

The lockfile can also be refreshed on a regular basis (for instance to update transitive dependencies) by enabling the lockFileMaintenance option:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  lockFileMaintenance: {
    enabled: true,
  },
}

Inline script metadata

Renovate supports updating dependencies defined using inline script metadata.

Since it cannot automatically detect which Python files use inline script metadata, their locations need to be explicitly defined using managerFilePatterns, like so:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  pep723: {
    managerFilePatterns: [
      "docs/build.py",
      "scripts/**/*.py",
    ],
  },
}

!!! note

Renovate does not yet support updating the lock file associated to the
script (https://github.com/renovatebot/renovate/issues/33591), so if you rely on this feature
for a script, the lock file will need to be manually updated.

Dependency cooldown

If you use exclude-newer option, it is recommended to also set the equivalent minimumReleaseAge option in Renovate, to avoid ending up with pull requests where uv would not be able to lock the dependencies.

For instance, if you've set exclude-newer to 1 week, you can set:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",

  // Enable only for PyPI.
  packageRules: [
    {
      matchDatasources: ["pypi"],
      minimumReleaseAge: "1 week",
    },
  ],

  // Or enable for every ecosystem.
  minimumReleaseAge: "1 week",
}

Dependabot

Dependabot has announced support for uv, but there are some use cases that are not yet working. See astral-sh/uv#2512 for updates.

Dependabot supports updating uv.lock files. To enable it, add the uv package-ecosystem to your updates list in the dependabot.yml:

version: 2

updates:
  - package-ecosystem: "uv"
    directory: "/"
    schedule:
      interval: "weekly"

Dependency cooldown

If you use exclude-newer option, it is recommended to also set the equivalent cooldown option in Dependabot, to avoid ending up with pull requests where uv would not be able to lock the dependencies.

For instance, if you've set exclude-newer to 1 week, you can set:

version: 2

updates:
  - package-ecosystem: "uv"
    directory: "/"
    schedule:
      interval: "weekly"
    cooldown:
      default-days: 7