uv pip compile always upgrades already pinned vcs dependencies

[sbidoul]

Summary

I'm toying with pylock.toml these days, and I noticed the following problem with vcs dependencies while looking at replacing my pip-deepfreeze requirements.txt workflow with pylock.toml.

Assume the following pyproject.toml with one regular dependency and one vcs dependency:

[project]
name = "test"
version = "1.0"
dependencies = ["pip-test-package", "packaging"]

[tool.uv.sources]
pip-test-package = { git = "https://github.com/pypa/pip-test-package"}

and the following pylock.toml where non-current versions are pinned:

# This file was autogenerated by uv via the following command:
#    uv pip compile pyproject.toml -o pylock.toml
lock-version = "1.0"
created-by = "uv"
requires-python = ">=3.14"

[[packages]]
name = "packaging"
version = "24.2"
sdist = { url = "https://files.pythonhosted.org/packages/d0/63/68dbb6eb2de9cb10ee4c9c14a0148804425e13c4fb20d61cce69f53106da/packaging-24.2.tar.gz", upload-time = 2024-11-08T09:47:47Z, size = 163950, hashes = { sha256 = "c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f" } }
wheels = [{ url = "https://files.pythonhosted.org/packages/88/ef/eb23f262cca3c0c4eb7ab1933c3b1f03d021f2c48f54763065b6f0e321be/packaging-24.2-py3-none-any.whl", upload-time = 2024-11-08T09:47:44Z, size = 65451, hashes = { sha256 = "09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759" } }]

[[packages]]
name = "pip-test-package"
version = "0.1"
vcs = { type = "git", url = "https://github.com/pypa/pip-test-package", commit-id = "a8992fc7ee17e5b9ece022417b64594423caca7c" }

Notice the above pylock.toml has an oldest version of packaging and a commit-id for pip-test-package that is not the tip of its master branch.

Now run uv pip compile pyproject.toml -o pylock.toml. It produces the following pylock.toml:

# This file was autogenerated by uv via the following command:
#    uv pip compile pyproject.toml -o pylock.toml
lock-version = "1.0"
created-by = "uv"
requires-python = ">=3.14"

[[packages]]
name = "packaging"
version = "24.2"
sdist = { url = "https://files.pythonhosted.org/packages/d0/63/68dbb6eb2de9cb10ee4c9c14a0148804425e13c4fb20d61cce69f53106da/packaging-24.2.tar.gz", upload-time = 2024-11-08T09:47:47Z, size = 163950, hashes = { sha256 = "c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f" } }
wheels = [{ url = "https://files.pythonhosted.org/packages/88/ef/eb23f262cca3c0c4eb7ab1933c3b1f03d021f2c48f54763065b6f0e321be/packaging-24.2-py3-none-any.whl", upload-time = 2024-11-08T09:47:44Z, size = 65451, hashes = { sha256 = "09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759" } }]

[[packages]]
name = "pip-test-package"
version = "0.1.1"
vcs = { type = "git", url = "https://github.com/pypa/pip-test-package", commit-id = "96d6d72ac54132aecbdd5adac88bc8d1f8fb986b" }

Notice that the packaging dependency is correctly unchanged, but the pip-test-package dependency has been updated to the tip of its master branch, which is not what we expect from the documentation which states:

When using an output file, uv will consider the versions pinned in an existing output file. If a dependency is pinned it will not be upgraded on a subsequent compile run.

A similar behavior is observed when using requirements.txt instead of pylock.toml.

Platform

linux

Version

0.10.7

Python version

No response

[charliermarsh]

I believe this is specific to the case in which no target revision (e.g., a branch) is specified. I've fixed it here: #18227. We generally can't do the same thing for requirements.txt files because there's no connectivity to the input requirement -- i.e., we have no idea what revision was requested by the user in prior resolves.

[sbidoul]

@charliermarsh thanks! I'm surprised the user requested branch is involved in fixing this, though. Indeed, conceptually I would think that in such a scenario the locked reference takes precedence over other constraints (unless --upgrade or --upgrade-package is used). So the user requested revision should be irrelevant, only the commit-id is needed, and that one is available both in pylock.toml and requirements.txt.

Do I miss something?

[charliermarsh]

I don't think I understand what you mean. If you start with a requirements.in like:

git+https://github.com/agronholm/anyio@concurrency-helpers

And run uv pip compile -o requirements.txt, producing:

# This file was autogenerated by uv via the following command:
#    uv pip compile req.txt -o req.in
anyio @ git+https://github.com/agronholm/anyio@fccc60ccaf7944284a708b56048ded99d44ec5e1
    # via -r req.txt
idna==3.11
    # via anyio
sniffio==1.3.1
    # via anyio

And then change your requirements file to:

git+https://github.com/agronholm/anyio

Then what should uv pip compile -o requirements.txt produce? Retaining fccc60ccaf7944284a708b56048ded99d44ec5e1 would be incorrect, since that commit isn't on the main branch. The requirements output doesn't give you any connectivity between the input request and the resolved SHA, so you'd need to have more complicated logic to understand whether a given commit satisfies a request, which we don't support.

[sbidoul]

Ah sorry I was not clear.

Let's start with the same example as yours above, but I do not change requirements.in. Instead let's say a new commit is pushed to the concurrency-helpers branch.

When I run uv pip compile -o requirements.txt I expect the result to not pick-up the new commit until I upgrade the package explicitly with uv pip compile -o requirements.txt --upgrade-package anyio.

Just like when, in the same example, if there would be a new version of idna, it would not pick it up until I ask it explicitly with --upgrade-package idna or --upgrade.

Does that make sense?

[charliermarsh]

Yeah, that does make sense, I'm just not sure that we'd support it. What you're requesting would require us to look at the commit that's already in the lockfile and determine whether it exists on the concurrency-helpers branch, whereas for uv.lock and pylock.toml, the logic is much simpler and safer, since we know the corresponding requirement for each resolved SHA.

I think you could imagine some counterintuitive examples here if we implemented this behavior. For example: if you first locked against main (by omitting the concurrency-helpers in your requirements file), and then changed your requirements file to point at concurrency-helpers, and concurrency-helpers is a few commits ahead of main, then by default we would retain the existing commit. IMO the requirements file format is too limited to provide the right experience.

[sbidoul]

Ok, so I tested with this #18227, in pylock.toml mode.

It seems that if the locked commit is not on the branch mentioned in requirements.in / tool.uv.sources, it will be updated when uv pip compiles is run, whether the users asks to update the package or not. With the same example, that would happen if there is a force push on the concurrency-helpers branch.

I think I see where my expectation differs. In case of conflict between the lock file and the input requirements, uv gives priority to the input requirements including checking if locked commits are still on requirement branches, while I expect the lock file to override VCS requirements as long as the resolution succeeds when considering the package versions.

[charliermarsh]

It seems that if the locked commit is not on the branch mentioned in requirements.in / tool.uv.sources, it will be updated when uv pip compiles is run, whether the users asks to update the package or not. With the same example, that would happen if there is a force push on the concurrency-helpers branch.

I don't see this behavior, at least in my own testing on this branch. If I force push over a commit, uv continues to use the same commit. You can checkout charlie/test-branch and run cargo run -- pip compile requirements.in -o pylock.toml to verify. Semantically, the way to think of the behavior is: look at pylock.toml, and for each Git dependency, associate the requested revision (e.g., concurrency-helpers) with the resolved commit. If we're later asked to resolve a commit for concurrency-helpers, use the resolved commit.

[sbidoul]

I was indeed testing a case with no requested-revision in pylock.toml which is probably not relevant in practice.

I'll continue digging on my use cases in the coming weeks. Thanks again for the quick fix and your time on this!