`uv sync --locked` does not detect incorrect `uv.lock`

[Nugine]

Summary

Discovered from a bug of dependabot:
dependabot/dependabot-core#10478 (comment)

To reproduce

1. select any package in uv.lock
2. change its version to any valid semver
   • edit the package.version field directly in uv.lock
3. run uv sync --locked

The installed package is still the previous installed version. It mismatches with what the lock file specified.

There is no warning or error for this case. uv continues sliently.

Platform

Linux 6.8.0-55-generic x86_64 GNU/Linux

Version

uv 0.6.6

Python version

Python 3.13.2

[konstin]

When you say "change its version to any valid semver", do you mean editing the package.version field directly in uv.lock, without changing the sdist or wheels entries?

[shauneccles]

When you say "change its version to any valid semver", do you mean editing the package.version field directly in uv.lock, without changing the sdist or wheels entries?

I think thats what they mean - that is currently what dependabot is doing to update the lockfile -
https://github.com/LedFx/LedFx/pull/1311/files

[zanieb]

See also #12254