fix(pip-compile): respect constraints during --upgrade#18226
Merged
zanieb merged 4 commits intoastral-sh:mainfrom Mar 2, 2026
Merged
fix(pip-compile): respect constraints during --upgrade#18226zanieb merged 4 commits intoastral-sh:mainfrom
--upgrade#18226zanieb merged 4 commits intoastral-sh:mainfrom
Conversation
[`pip-compile`] (jazzband) has the following semantics when invoked with
both `--upgrade` and `--upgrade-package={pkg}{constraint}`: upgrade all
packages WHILE abiding by the constraints provided.
Currently, `uv` ignores the additional constraints, merging `--upgrade`
and `--upgrade-package` simply as `--upgrade`, which is obviously a
divergence in behavior. This leads to specific package constraints being
ignored, even when explicitly provided. When I went to look at patching
this, I noticed an open TODO around the same behavior in the
`--no-upgrade` case.
As a solution, separate the `UpgradeStrategy` from the constraints
provided, allowing for a more graceful merge.
[`pip-compile`]: https://github.com/jazzband/pip-tools
Member
|
Thanks for contributing. This seems like a reasonable change, I can review... |
charliermarsh
approved these changes
Mar 1, 2026
Member
|
This LGTM, though it'd be helpful to get @zanieb's opinion on whether this requires a minor release due to the behavior change. |
Member
|
I think this is a bug fix and the breakage is reasonable. |
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Mar 11, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [uv](https://github.com/astral-sh/uv) | patch | `0.10.7` → `0.10.9` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (uv)</summary> ### [`v0.10.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0109) [Compare Source](astral-sh/uv@0.10.8...0.10.9) Released on 2026-03-06. ##### Enhancements - Add `fbgemm-gpu`, `fbgemm-gpu-genai`, `torchrec`, and `torchtune` to the PyTorch list ([#​18338](astral-sh/uv#18338)) - Add torchcodec to PyTorch List ([#​18336](astral-sh/uv#18336)) - Log the duration we took before erroring ([#​18231](astral-sh/uv#18231)) - Warn when using `uv_build` settings without `uv_build` ([#​15750](astral-sh/uv#15750)) - Add fallback to `/usr/lib/os-release` on Linux system lookup failure ([#​18349](astral-sh/uv#18349)) - Use `cargo auditable` to include SBOM in uv builds ([#​18276](astral-sh/uv#18276)) ##### Configuration - Add an environment variable for `UV_VENV_RELOCATABLE` ([#​18331](astral-sh/uv#18331)) ##### Performance - Avoid toml `Document` overhead ([#​18306](astral-sh/uv#18306)) - Use a single global workspace cache ([#​18307](astral-sh/uv#18307)) ##### Bug fixes - Continue on trampoline job assignment failures ([#​18291](astral-sh/uv#18291)) - Handle the hard link limit gracefully instead of failing ([#​17699](astral-sh/uv#17699)) - Respect build constraints for workspace members ([#​18350](astral-sh/uv#18350)) - Revalidate editables and other dependencies in scripts ([#​18328](astral-sh/uv#18328)) - Support Python 3.13+ on Android ([#​18301](astral-sh/uv#18301)) - Support `cp3-none-any` ([#​17064](astral-sh/uv#17064)) - Skip tool environments with broken links to Python on Windows ([#​17176](astral-sh/uv#17176)) ##### Documentation - Add documentation for common marker values ([#​18327](astral-sh/uv#18327)) - Improve documentation on virtual dependencies ([#​18346](astral-sh/uv#18346)) ### [`v0.10.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0108) [Compare Source](astral-sh/uv@0.10.7...0.10.8) Released on 2026-03-03. ##### Python - Add CPython 3.10.20 - Add CPython 3.11.15 - Add CPython 3.12.13 ##### Enhancements - Add Docker images based on Docker Hardened Images ([#​18247](astral-sh/uv#18247)) - Add resolver hint when `--exclude-newer` filters out all versions of a package ([#​18217](astral-sh/uv#18217)) - Configure a real retry minimum delay of 1s ([#​18201](astral-sh/uv#18201)) - Expand `uv_build` direct build compatibility ([#​17902](astral-sh/uv#17902)) - Fetch CPython from an Astral mirror by default ([#​18207](astral-sh/uv#18207)) - Download uv releases from an Astral mirror in installers by default ([#​18191](astral-sh/uv#18191)) - Add SBOM attestations to Docker images ([#​18252](astral-sh/uv#18252)) - Improve hint for installing meson-python when missing as build backend ([#​15826](astral-sh/uv#15826)) ##### Configuration - Add `UV_INIT_BARE` environment variable for `uv init` ([#​18210](astral-sh/uv#18210)) ##### Bug fixes - Prevent `uv tool upgrade` from installing excluded dependencies ([#​18022](astral-sh/uv#18022)) - Promote authentication policy when saving tool receipts ([#​18246](astral-sh/uv#18246)) - Respect exclusions in scripts ([#​18269](astral-sh/uv#18269)) - Retain default-branch Git SHAs in `pylock.toml` files ([#​18227](astral-sh/uv#18227)) - Skip installed Python check for URL dependencies ([#​18211](astral-sh/uv#18211)) - Respect constraints during `--upgrade` ([#​18226](astral-sh/uv#18226)) - Fix `uv tree` orphaned roots and premature deduplication ([#​17212](astral-sh/uv#17212)) ##### Documentation - Mention cooldown and tweak inline script metadata in dependency bots documentation ([#​18230](astral-sh/uv#18230)) - Move cache prune in GitLab to `after_script` ([#​18206](astral-sh/uv#18206)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90IiwiYXV0b21hdGlvbjpib3QtYXV0aG9yZWQiLCJkZXBlbmRlbmN5LXR5cGU6OnBhdGNoIl19-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pip-compile(jazzband) has the following semantics when invoked with both--upgradeand--upgrade-package={pkg}{constraint}: upgrade all packages WHILE abiding by the constraints provided.Currently,
uvignores the additional constraints, merging--upgradeand--upgrade-packagesimply as--upgrade, which is obviously a divergence in behavior. This leads to specific package constraints being ignored, even when explicitly provided. When I went to look at patching this, I noticed an open TODO around the same behavior in the--no-upgradecase.As a solution, separate the
UpgradeStrategyfrom the constraints provided, allowing for a more graceful merge.I've created an issue to track this here: #18225
Test Plan
I've added a few integration tests to cover this case (including updating the negative test that existed), and updated the relevant snapshots.