Prevent uv tool upgrade from installing excluded dependencies#18022
Merged
charliermarsh merged 4 commits intoastral-sh:mainfrom Mar 3, 2026
Merged
Prevent uv tool upgrade from installing excluded dependencies#18022charliermarsh merged 4 commits intoastral-sh:mainfrom
charliermarsh merged 4 commits intoastral-sh:mainfrom
Conversation
zanieb
reviewed
Feb 15, 2026
Comment on lines
+337
to
+338
| // Add excludes from tool receipt to requirements | ||
| spec.excludes = existing_tool_receipt.excludes().to_vec(); |
Member
There was a problem hiding this comment.
I think we should instead add a function like from_excludes like from_overrides that includes this.
We'll need to open a separate ticket to revisit / improve that API design.
Member
There was a problem hiding this comment.
We also might need to open a ticket to add excludes support to scripts?
uv/crates/uv/src/commands/project/mod.rs
Line 2707 in d2ab2d0
Contributor
Author
There was a problem hiding this comment.
I think we should instead add a function like
from_excludeslikefrom_overridesthat includes this.We'll need to open a separate ticket to revisit / improve that API design.
Would adding an excludes argument to from_overrides() be an acceptable solution for this PR?
For the moment script_specification() would supply an empty Vec for this argument and this could be later populated when it gains support for dependency exclusion.
Member
|
This change should have new test coverage |
Store dependencies excluded by uv tool install in the tool receipt and provide these same dependencies to the requirements resolver when the tool is upgraded.
5a58af6 to
1779efd
Compare
Contributor
Author
I've added an appropriate test to 1779efd |
charliermarsh
approved these changes
Mar 3, 2026
charliermarsh
added a commit
that referenced
this pull request
Mar 3, 2026
## Summary See: #18022 (comment).
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Mar 11, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [uv](https://github.com/astral-sh/uv) | patch | `0.10.7` → `0.10.9` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (uv)</summary> ### [`v0.10.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0109) [Compare Source](astral-sh/uv@0.10.8...0.10.9) Released on 2026-03-06. ##### Enhancements - Add `fbgemm-gpu`, `fbgemm-gpu-genai`, `torchrec`, and `torchtune` to the PyTorch list ([#​18338](astral-sh/uv#18338)) - Add torchcodec to PyTorch List ([#​18336](astral-sh/uv#18336)) - Log the duration we took before erroring ([#​18231](astral-sh/uv#18231)) - Warn when using `uv_build` settings without `uv_build` ([#​15750](astral-sh/uv#15750)) - Add fallback to `/usr/lib/os-release` on Linux system lookup failure ([#​18349](astral-sh/uv#18349)) - Use `cargo auditable` to include SBOM in uv builds ([#​18276](astral-sh/uv#18276)) ##### Configuration - Add an environment variable for `UV_VENV_RELOCATABLE` ([#​18331](astral-sh/uv#18331)) ##### Performance - Avoid toml `Document` overhead ([#​18306](astral-sh/uv#18306)) - Use a single global workspace cache ([#​18307](astral-sh/uv#18307)) ##### Bug fixes - Continue on trampoline job assignment failures ([#​18291](astral-sh/uv#18291)) - Handle the hard link limit gracefully instead of failing ([#​17699](astral-sh/uv#17699)) - Respect build constraints for workspace members ([#​18350](astral-sh/uv#18350)) - Revalidate editables and other dependencies in scripts ([#​18328](astral-sh/uv#18328)) - Support Python 3.13+ on Android ([#​18301](astral-sh/uv#18301)) - Support `cp3-none-any` ([#​17064](astral-sh/uv#17064)) - Skip tool environments with broken links to Python on Windows ([#​17176](astral-sh/uv#17176)) ##### Documentation - Add documentation for common marker values ([#​18327](astral-sh/uv#18327)) - Improve documentation on virtual dependencies ([#​18346](astral-sh/uv#18346)) ### [`v0.10.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0108) [Compare Source](astral-sh/uv@0.10.7...0.10.8) Released on 2026-03-03. ##### Python - Add CPython 3.10.20 - Add CPython 3.11.15 - Add CPython 3.12.13 ##### Enhancements - Add Docker images based on Docker Hardened Images ([#​18247](astral-sh/uv#18247)) - Add resolver hint when `--exclude-newer` filters out all versions of a package ([#​18217](astral-sh/uv#18217)) - Configure a real retry minimum delay of 1s ([#​18201](astral-sh/uv#18201)) - Expand `uv_build` direct build compatibility ([#​17902](astral-sh/uv#17902)) - Fetch CPython from an Astral mirror by default ([#​18207](astral-sh/uv#18207)) - Download uv releases from an Astral mirror in installers by default ([#​18191](astral-sh/uv#18191)) - Add SBOM attestations to Docker images ([#​18252](astral-sh/uv#18252)) - Improve hint for installing meson-python when missing as build backend ([#​15826](astral-sh/uv#15826)) ##### Configuration - Add `UV_INIT_BARE` environment variable for `uv init` ([#​18210](astral-sh/uv#18210)) ##### Bug fixes - Prevent `uv tool upgrade` from installing excluded dependencies ([#​18022](astral-sh/uv#18022)) - Promote authentication policy when saving tool receipts ([#​18246](astral-sh/uv#18246)) - Respect exclusions in scripts ([#​18269](astral-sh/uv#18269)) - Retain default-branch Git SHAs in `pylock.toml` files ([#​18227](astral-sh/uv#18227)) - Skip installed Python check for URL dependencies ([#​18211](astral-sh/uv#18211)) - Respect constraints during `--upgrade` ([#​18226](astral-sh/uv#18226)) - Fix `uv tree` orphaned roots and premature deduplication ([#​17212](astral-sh/uv#17212)) ##### Documentation - Mention cooldown and tweak inline script metadata in dependency bots documentation ([#​18230](astral-sh/uv#18230)) - Move cache prune in GitLab to `after_script` ([#​18206](astral-sh/uv#18206)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90IiwiYXV0b21hdGlvbjpib3QtYXV0aG9yZWQiLCJkZXBlbmRlbmN5LXR5cGU6OnBhdGNoIl19-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #18021
Store dependencies excluded by uv tool install in the tool receipt and provide these same dependencies to the requirements resolver when the tool is upgraded.
Test Plan
Running the repro commands provided in issue #18021, we can see the excluded dependency does not get reinstalled when the tool is upgraded: