feat(pypi): support importing uv.lock file#3785
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds support for uv.lock files in rules_python, introducing a toml2json conversion utility and updating the lock rule and requirement parsing logic. The review identifies critical compatibility issues, specifically the toml2json tool's reliance on Python 3.11's tomllib and missing serialization for date/time objects. Furthermore, the feedback highlights logic errors in how package extras are handled—which could lead to dependency bloat or failed consistency checks—and suggests improvements for platform resolution and path handling in shell scripts.
| """Parse requirements using uv.lock as the primary source.""" | ||
| ret = _parse_uv_lock_json( | ||
| uv_lock_json = uv_lock_json, | ||
| all_platforms = _get_all_platforms(requirements_by_platform) if requirements_by_platform else [], |
There was a problem hiding this comment.
If requirements_by_platform is empty (which is common when using uv.lock as the primary source), all_platforms will be an empty list. This results in all packages having empty target_platforms, which will likely cause issues in downstream rules that expect platform information for wheel selection.
| all_platforms = _get_all_platforms(requirements_by_platform) if requirements_by_platform else [], | |
| all_platforms = _get_all_platforms(requirements_by_platform) if requirements_by_platform else sorted(platforms.keys()), |
| for extra in pkg.get("provides-extras", pkg.get("extras", [])): | ||
| if extra not in entry["extras"]: | ||
| entry["extras"][extra] = None |
There was a problem hiding this comment.
Including all provides-extras in the requirement line for every package is likely incorrect. provides-extras lists all extras a package defines, not necessarily what was resolved or requested. Including all of them will force the installation of all optional dependencies for every package in the lock file, leading to significant dependency bloat. It might be better to omit extras from the requirement line if the lock file already provides the specific version and URL, or only include the extras that were part of the resolution.
| for dep in pkg.get("dependencies", []): | ||
| extra = dep.get("extra") | ||
| if extra and extra not in uv_packages[name]["extras"]: | ||
| uv_packages[name]["extras"][extra] = None |
There was a problem hiding this comment.
The logic for collecting extras in the consistency check appears to be flawed. It iterates over the dependencies of pkg and adds the extra name to uv_packages[name]["extras"], where name is the name of the requiring package. Later, when checking a package item, it looks for extras in uv_packages[item.name]["extras"]. This will fail to find extras that were requested by other packages.
- tomllib: try/except fallback to tomli for Python <3.11 - json_serializer: add datetime.date and datetime.time support - all_platforms: use sorted(platforms.keys()) fallback - $PWD/ path: check if python_path is absolute - extra_pip_args: pass through to _parse_uv_lock_json - Add uv_lock tests: multiple packages, extra_pip_args, multi-os - Update plan.md with review cycle instructions
|
Addressed all review comments. Please re-review when you get a chance. @gemini-code-assist |
There was a problem hiding this comment.
Code Review
This pull request introduces support for uv.lock files in rules_python, adding a new lock_format attribute to the lock rule and a toml2json utility for parsing. It also implements a consistency check between uv.lock and requirements files. The reviewer identified a potential runtime error in the uv.lock parser due to unsafe dictionary access for optional hash keys and suggested simplifying redundant logic during hash extraction.
- Add python_3_14 toolchain in MODULE.bazel - Always use Python 3.14 interpreter for uv.lock JSON conversion - Remove tomli fallback from toml2json.py (Python 3.14 has tomllib) - Simplify convert_uv_lock_to_json to use fixed interpreter
- Add bazel-in-bazel integration test under tests/integration/uv_lock/ - Test converts uv.lock TOML to JSON using toml2json tool - Remove dead uv_pypi test data (placeholder only) - Restore tomli fallback in toml2json.py for backward compatibility
|
Addressed all review comments and added Python 3.14 toolchain + integration test. Please re-review. @gemini-code-assist |
There was a problem hiding this comment.
Code Review
This pull request introduces support for uv.lock files as a primary metadata source in rules_python. Key additions include a toml2json tool for parsing, a new uv_lock format for the lock rule, and consistency checks within parse_requirements. Reviewer feedback suggests adopting more idiomatic Starlark dictionary access, implementing safer hash prefix stripping, and improving the portability of shell commands by replacing hardcoded environment variables with Bazel-provided paths.
|
The latest release of toml.bzl makes bazel_lib a dev dependency. It now uses skylib for the |
Remove the old toml2json Python tool and uv_lock.bzl in favor of the pure Starlark toml.bzl decoder. Update tests to pass toml_decode mock, remove is_rules_python_root references, and fix virtual package test expectations. Clean up BUILD.bazel files that referenced deleted targets.
| ), | ||
| logger = logger, | ||
| ), | ||
| uv_lock = pip_attr.uv_lock, |
There was a problem hiding this comment.
Add a test to ensure this is tested.
… lock support Remove the lock_format attribute and detect whether to use uv lock or uv pip compile from the output file extension (.lock = uv lock, else requirements). Add a Windows bat template for uv lock support. The python interpreter is passed through --python flag consistently.
rickeylev
left a comment
rickeylev
left a comment
There was a problem hiding this comment.
Overall LGTM. Some minor questions and nits. But overall, this fit in rather nicely with the pipstar code you've written, nice!
Require a strict `uv.lock` suffix for uv lock targets to disambiguate from pip-compile outputs, and fix absolute Python interpreter path evaluation during lockfile generation. Additionally, restore helpful structural comments inside requirement parsing logic and register missing TOML Stardoc dependencies.
|
(agent comment) Addressed the second review cycle comments (enforcing |
There was a problem hiding this comment.
Code Review
This pull request implements support for uv.lock files in rules_python, allowing them to be used as the primary source for package metadata and introducing a rule to generate them. The feedback identifies several issues: a potential path resolution failure in lock.bzl when the Python interpreter path is absolute, an undefined repository error caused by exposing virtual packages with no sources in the hub, and a version mismatch for the toml.bzl dependency between MODULE.bazel and py_repositories.bzl.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| item = struct( | ||
| name = norm_name, | ||
| is_exposed = True, | ||
| is_multiple_versions = len(versions) > 1, | ||
| # TODO @aignas 2026-05-17: use the default index that is used in parsing the | ||
| # requirements if it is not known in the uv.lock file. We need to get this from the | ||
| # pyproject.toml file uv.tool configuration. | ||
| index_url = "", | ||
| srcs = pkg_srcs, | ||
| ) |
There was a problem hiding this comment.
Setting is_exposed = True for virtual packages (which have no sources, i.e., srcs = []) causes the hub repository to expose them as targets. However, since they have no sources, no corresponding whl_library repository is created for them. This leads to undefined repository errors (e.g., @hub_virtual_pkg not found) when Bazel attempts to resolve or query the hub's targets. We should set is_exposed to len(pkg_srcs) > 0 so that virtual packages without sources are not exposed in the hub.
| item = struct( | |
| name = norm_name, | |
| is_exposed = True, | |
| is_multiple_versions = len(versions) > 1, | |
| # TODO @aignas 2026-05-17: use the default index that is used in parsing the | |
| # requirements if it is not known in the uv.lock file. We need to get this from the | |
| # pyproject.toml file uv.tool configuration. | |
| index_url = "", | |
| srcs = pkg_srcs, | |
| ) | |
| item = struct( | |
| name = norm_name, | |
| is_exposed = len(pkg_srcs) > 0, | |
| is_multiple_versions = len(versions) > 1, | |
| # TODO @aignas 2026-05-17: use the default index that is used in parsing the | |
| # requirements if it is not known in the uv.lock file. We need to get this from the | |
| # pyproject.toml file uv.tool configuration. | |
| index_url = "", | |
| srcs = pkg_srcs, | |
| ) |
| struct( | ||
| name = "virtual_pkg", | ||
| index_url = "", | ||
| is_exposed = True, | ||
| is_multiple_versions = False, | ||
| srcs = [], | ||
| ), |
There was a problem hiding this comment.
Update the unit test expectation to match the corrected is_exposed behavior for virtual packages (which should be False since they have no sources).
| struct( | |
| name = "virtual_pkg", | |
| index_url = "", | |
| is_exposed = True, | |
| is_multiple_versions = False, | |
| srcs = [], | |
| ), | |
| struct( | |
| name = "virtual_pkg", | |
| index_url = "", | |
| is_exposed = False, | |
| is_multiple_versions = False, | |
| srcs = [], | |
| ) |
Add dedicated parsing support for direct artifact URL sources in `uv.lock` files to ensure compatibility with non-registry dependencies. Implemented by adding a dedicated `_add_direct_url_entry` helper and associated unit test coverage in `parse_requirements_tests.bzl`.
Adopt `str.removeprefix()` for safe hash stripping, sync `toml.bzl` to 0.4.1 in `py_repositories.bzl`, add absolute interpreter path checks in `lock.bzl`, format `uv_lock` docstrings with `VERSION_NEXT_FEATURE`, and remove temporary Python 3.14 toolchains.
|
Addressed the remaining unresolved review threads (adopting |
There was a problem hiding this comment.
Code Review
This pull request introduces support for using uv.lock files as the primary source of package metadata in rules_python. It integrates a pure Starlark TOML decoder to parse uv.lock and extract packages, versions, extras, and sources (wheels, sdists, VCS, and direct URLs). Additionally, it updates the lock rule to support generating uv.lock files and adds comprehensive unit tests. The code review identified critical issues where the shell and batch scripts fail when copying uv.lock onto itself, a correctness bug where assigning all platforms to multiple versions of a package causes repository conflicts during hub building, and an issue where git revisions are not appended to VCS URLs, leading to unpinned dependencies.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| distribution = info["distribution"], | ||
| extra_pip_args = extra_pip_args or [], | ||
| requirement_line = requirement_line, | ||
| target_platforms = list(all_platforms), |
There was a problem hiding this comment.
Setting target_platforms = list(all_platforms) for all package versions in _parse_uv_lock introduces a correctness bug when a package has multiple versions in uv.lock (e.g., due to different Python versions or environment markers).
Because all versions of the package are assigned the exact same target_platforms, they will all generate the same config settings in _add_whl_library. This causes a conflict during the hub building phase, resulting in a build failure: attempting to override an existing repo '...' for config setting '...' with a new repo '...'.
To fix this, we should parse and evaluate the resolution-markers (or package-level markers) for each package version against the configured platforms to determine the correct subset of target_platforms for each version. If no markers are present, we can default to all_platforms.
rickeylev
left a comment
rickeylev
left a comment
There was a problem hiding this comment.
Fixed a variety of comments
# Conflicts: # MODULE.bazel # python/private/pypi/hub_builder.bzl # python/private/pypi/parse_requirements.bzl # python/uv/private/lock.bzl
…ts call Align `parse_requirements()` invocation in `hub_builder.bzl` with upstream marker evaluation refactoring.
rickeylev
force-pushed
the
aignas.feat.uv-lock
branch
from
0d55407 to
7c98eb2
Compare
Prevent wheel repository override collisions across incompatible Python versions in uv.lock by properly evaluating resolution-markers against target platforms.
rickeylev
force-pushed
the
aignas.feat.uv-lock
branch
from
7c98eb2 to
67c6b23
Compare
…o aignas.feat.uv-lock
…o aignas.feat.uv-lock # Conflicts: # python/uv/private/lock.bzl
|
@aignas PTAL -- CI is happy! But the unresolved comments from Gemini I think might be valid? |
3 participants
Part of this is vibe coded, but I thought that the approach might have been rigorous
enough to submit a PR.
The strategy was:
uv.lockfile from thelockrule.uv.lockfile together with the requirements fileand verify things are OK.
Extra things that we could do:
uv.lockscenarios and ensure parity withrequirements.txtfiles.PyPIindex to understand if the packages are yanked or not - lockfile does not have that information.
pyproject.tomlfile to get the index values for each package.Summary:
Closes #3557
Work towards #2787