local editable dependencies: `uv lock` behaves differently for projects and scripts

[Weidav]

Summary

When a script references a local editable dependency and that dependency's pyproject.toml changes (e.g., a transitive dependency version is updated), uv lock --script does not update the script lockfile. The lockfile silently remains stale. Running uv run --locked --script then uses the outdated locked versions.

The equivalent project command (uv lock) correctly detects the same change and updates the lockfile as expected. The inconsistency is limited to uv lock --script.

Minimal reproduction

The full repository is available at: https://github.com/Weidav/uv-lock-bug-minimal-example

Steps to reproduce

Clone the repo and execute ./reproduce_bug.sh.
The script also explains in detail the expected vs actual behavior at each step.

To clean up afterwards, run ./reset.sh, then the workspace will be back to the initial state.

Expected behavior

uv lock --script <script> should re-read the pyproject.toml of local editable dependencies (just as uv lock does for projects) and update the script lockfile when those dependencies have changed.

After updating pydantic, uv run --locked --script example-script.py should fail and after running uv lock --script example-script.py, example-script.py.lock should contain pydantic==2.12.5.

I would expect the same behavior from scripts and project. I think the projects behave correctly and as documented, but the scripts do not.

Actual behavior

uv lock --script <script> does not detect that a local editable dependency's pyproject.toml has changed. The script lockfile remains unchanged (still pinning pydantic==1.10.26) and uv run --locked --script does not raise a lockfile mismatch error — it silently runs with the stale dependencies.

Workaround

Explicitly pass --upgrade-package for the local editable dependency:

uv lock --script example-script.py --upgrade-package example-lib

This forces uv to re-resolve the dependency and picks up the new transitive constraints, but this should not be necessary after a normal uv lock --script.

Additional notes

• The bug does not affect uv lock (project mode) — only uv lock --script (inline script mode).
• Clearing the uv cache (uv cache clean) does not resolve the issue, confirming this is not a caching problem.
• The bug means scripts using local editable path sources can silently run with stale transitive dependencies, even when --locked is specified. This undermines the reproducibility guarantee that --locked is supposed to provide.

Platform

Linux 6.8.0-1044-azure x86_64 GNU/Linux

Version

uv 0.10.8

Python version

Python 3.12.1

[charliermarsh]

Thanks, this does look like a bug.