Skip to content

feat: support extracting from uv.lock#314

Merged
copybara-service[bot] merged 10 commits intogoogle:mainfrom
ackama:extractor/support-uv
Jan 21, 2025
Merged

feat: support extracting from uv.lock#314
copybara-service[bot] merged 10 commits intogoogle:mainfrom
ackama:extractor/support-uv

Conversation

@G-Rath
Copy link
Collaborator

@G-Rath G-Rath commented Dec 1, 2024

This adds support for parsing uv.lock files which are TOML based and overall seem pretty straightforward - the main gotcha I came across was that they nest their "groups" table (called optional-dependencies) in the package array of tables (I think those are the right TOML terms), meaning it actually ends up getting stuck on the last "package" entry even though it is not package specific.

Beyond that, I think the main two areas that could do with expanding are:

  • support for more exoitc dependencies such as git (I figured this out)
  • support groups - it looks like uv only tracks the direct dependency that has been grouped, but does not mark transitive dependencies; however because it captures both top-level dependencies (in package.metadata) and package dependencies (in [[package]].dependencies) I think in theory we should be able to walk the tree ourselves to determine what dependencies belong in what group
    • I've not done that for now as I'm not 100% sure that'd be correct in every situation, and it feels like it should be fine to tackle in a dedicated PR (I also figure deps.dev can probably help here, which might be a more accurate or preferred alternative)

Resolves google/osv-scanner#1406

erikvarga
erikvarga reviewed Dec 3, 2024
View reviewed changes
@G-Rath G-Rath force-pushed the extractor/support-uv branch from f9d6d49 to 8a98e1e Compare December 3, 2024 18:27
@G-Rath G-Rath requested a review from erikvarga December 3, 2024 18:28
@G-Rath G-Rath force-pushed the extractor/support-uv branch from 8a98e1e to cffad09 Compare December 4, 2024 18:33
@G-Rath G-Rath mentioned this pull request Dec 4, 2024
Merged
@G-Rath G-Rath force-pushed the extractor/support-uv branch 2 times, most recently from 717e630 to a064497 Compare December 5, 2024 21:27
@G-Rath G-Rath force-pushed the extractor/support-uv branch from a064497 to 029837e Compare January 20, 2025 18:12
@copybara-service copybara-service bot merged commit 8748276 into google:main Jan 21, 2025
6 checks passed
@G-Rath G-Rath deleted the extractor/support-uv branch January 21, 2025 18:07
@G-Rath G-Rath mentioned this pull request Feb 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

@erikvarga erikvarga Awaiting requested review from erikvarga

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

REQUEST: Support uv.lock lockfile used by uv

3 participants

@G-Rath @erikvarga @another-rex