Inconsistent version for wheel in lockfile updated by Dependabot #12254
Description
Dependabot recently launched support for updating versions in uv.lock files (see dependabot/dependabot-core#10478). However, the latest version of Dependabot:
- Edits the lockfile directly instead of using uv to resolve new metadata
- Updates the
<package>.versionfield (but not the associated distributions
(see the implementation)
Previously, we've assumed we are the only writer of the lockfile and that the metadata inside it was consistent. Since the distribution files were not updated by Dependabot, uv would continue to use the old package version despite the Dependabot change. This means that Dependabot pull requests updating the versions of packages in the uv.lock had no effect.
It looks like this may be a Dependabot regression introduced by dependabot/dependabot-core#11810. It's not clear if the change in behavior was intentional.
In #12235, we've added validation that the package version in a lockfile matches its associated wheels. In uv 0.6.7, an error will be raised if this is detected. This will prevent invalid changes to the lockfile. Unfortunately, this means that some existing lockfiles will be invalidated. If a lockfile has been updated by the latest version of Dependabot, it will need to be reverted.
Note the validation is currently only scoped to distributions with wheels. If there are not wheels published for the package, the described problem is still present. We are exploring validation of source distribution versions in #12237 — but we are worried this may disrupt other workflows.
We continue to be excited about Dependabot support for uv. If you're working on a fix for this issue in Dependabot, feel free to ping me for review.