Error on lockfiles with incoherent wheel versions #12235
Conversation
| })); | ||
| } | ||
| } | ||
| // We can't check the source dist version since it does not need to contain the version |
There was a problem hiding this comment.
We should always have at least one wheel enabling us to catch the inconsistency?
There was a problem hiding this comment.
Not necessarily, for example:
dependencies = [
"sniffio",
]
[tool.uv.sources]
sniffio = { path = "sniffio.tar.gz" }uv.lock:
[[package]]
name = "sniffio"
version = "1.3.1"
source = { path = "sniffio.tar.gz" }
sdist = { hash = "sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc" }In this case, it's not possible to determine from the lockfile alone whether there is an inconsistency.
There was a problem hiding this comment.
I've added another commit that catches all mismatches between locked source dist version and the built wheel versions at build time. This would enforce stricter guarantees than we require right now, CC @charliermarsh
There was a problem hiding this comment.
As an example:
[[package]]
name = "sniffio"
version = "2.3.4"
source = { url = "https://files.pythonhosted.org/packages/a2/87/a6771e1546d97e7e041b6ae58d80074f81b7d5121207425c964ddf5cfdbd/sniffio-1.3.1.tar.gz" }
sdist = { hash = "sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc" }With this last commit fails with:
× Failed to download and build `sniffio @
│ https://files.pythonhosted.org/packages/a2/87/a6771e1546d97e7e041b6ae58d80074f81b7d5121207425c964ddf5cfdbd/sniffio-1.3.1.tar.gz`
╰─▶ Package metadata version `1.3.1` does not match given version `2.3.4`
help: `sniffio` was included because `foo` (v0.1.0) depends on `sniffio`
The potential clash could be with git dependencies that use a version-from-git integration.
There was a problem hiding this comment.
Moved this to a separate PR: #12237
| Caused by: Locked package and file versions are inconsistent for `iniconfig` | ||
| "); | ||
|
|
||
| // Without `--locked`, we could fail or recreate the lockfile, currently, we fail. |
There was a problem hiding this comment.
Would a user find this surprising? I think I'd assume uv will create a correct lockfile when running uv lock. And it might not be clear to a user what action they should take next if they see this error.
I guess it partially depends on what "If a lockfile is present, its contents will be used as preferences for the resolution" from the docs for uv lock means. Does that mean we try to use those preferences, but override them if necessary?
There was a problem hiding this comment.
Currently, we fail on all kinds of parsing errors with lockfile. For example, an empty uv.lock fails:
$ uv lock
error: Failed to parse `uv.lock`
Caused by: TOML parse error at line 1, column 1
|
1 |
| ^
missing field `version`
As does a lockfile where I removed the source line:
$ uv lock
error: Failed to parse `uv.lock`
Caused by: TOML parse error at line 16, column 1
|
16 | [[package]]
| ^^^^^^^^^^^
missing field `source`
We can try to be better about recovering from a broken lockfile, but that's outside of the scope of the PR (uv would never write such a lockfile, and with this change, uv will refuse to sync a broken dependabot PR, failing CI). For comparison, in cases where the lockfile is not invalid but doesn't fully match in a non-version anymore, e.g., the environments changed, we for example only reuse the versions as preference but not the full lockfile (ValidatedLock enumerates the cases).
Reject lockfiles where the package version and the wheel versions are incoherent. This implicitly checks that all wheel files have the same version. It does not check for the source dist version, since a source dist may not contain a version in the filename and attempting to deserialize source dist filenames we may not need is a performance overhead for something that's already slow in `uv run`. Fixes #12164
konstin
force-pushed
the
konsti/locked-version-coherence
branch
from
36e4181 to
eb6dcc0
Compare
|
Does this mean that Dependabot updates will lead to hard uv errors? (I understand that, at least the linked issue, what they're doing today may not be sound.) |
|
I think so, at least making PRs with this logic without updating source dist and wheels accordingly will lead to broken lockfiles: https://github.com/dependabot/dependabot-core/blob/1cd6fc59d7dae25d46255550528dd056c97c46d8/uv/lib/dependabot/uv/file_updater/lock_file_updater.rb#L111-L120. We currently accept those lockfile changes, but they don't do semantically what the PR diff would suggest (they don't actually upgrade the version). Other commenters at dependabot/dependabot-core#10478 have noted that dependabot can produce lockfiles broken under |
|
As a user and developer I want uv to explode if dependabot maims my lockfile so I know about it and so I can raise issues with dependabot. |
Yep that's my lockfile, and they certainly do currently break them (tysm for |
| if version != &wheel.filename.version { | ||
| return Err(LockError::from(LockErrorKind::InconsistentVersions { | ||
| name: self.id.name, | ||
| })); |
There was a problem hiding this comment.
Can we show the versions in the error here? Like "packaged version {} does not match {} from wheel {}"?
zanieb
changed the title
|
This seems to have caused some problems with the flash-attn wheels. Now causes Not sure if there is a better way to configure usage of these wheels. |
|
Ah thanks, we can fix that. |
`uv 0.6.6` adds a hard error when the version of the package in `uv.lock` does not match the one declared in the editable wheel: astral-sh/uv#12235. `release-please` doesn't update the lock files automatically, so release PRs needed a manual lock update. This PR adds the lockfile as an `extra-file`, to avoid this manual step. Note that the _jsonpath_ in the config is not technically correct, as release-please's json array filters don't quite work for toml files. See googleapis/release-please#2455, which includes this hacky workaround.
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.6.5` -> `0.6.9` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.6.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#069) [Compare Source](astral-sh/uv@0.6.8...0.6.9) ##### Enhancements - Use `keyring --mode creds` when `authenticate = "always"` ([#​12316](astral-sh/uv#12316)) - Fail with specific error message when no password is present and `authenticate = "always"` ([#​12313](astral-sh/uv#12313)) ##### Bug fixes - Add boolish value parser for `UV_MANAGED_PYTHON` flags ([#​12345](astral-sh/uv#12345)) - Make deserialization non-fatal when assessing source tree revisions ([#​12319](astral-sh/uv#12319)) - Use resolver-returned wheel over alternate cached wheel ([#​12301](astral-sh/uv#12301)) ##### Documentation - Add experimental `--torch-backend` to the PyTorch guide ([#​12317](astral-sh/uv#12317)) - Fix `#keyring-provider` references in alternative index docs ([#​12315](astral-sh/uv#12315)) - Fix `--directory` path in examples ([#​12165](astral-sh/uv#12165)) ##### Preview changes - Automatically infer the PyTorch index via `--torch-backend=auto` ([#​12070](astral-sh/uv#12070)) ### [`v0.6.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#068) [Compare Source](astral-sh/uv@0.6.7...0.6.8) ##### Enhancements - Add support for enabling all groups by default with `default-groups = "all"` ([#​12289](astral-sh/uv#12289)) - Add simpler `--managed-python` and `--no-managed-python` flags for toggling Python preferences ([#​12246](astral-sh/uv#12246)) ##### Performance - Avoid allocations for default cache keys ([#​12063](astral-sh/uv#12063)) ##### Bug fixes - Allow local version mismatches when validating lockfile ([#​12285](astral-sh/uv#12285)) - Allow owned string when deserializing `requires-python` ([#​12278](astral-sh/uv#12278)) - Make cache errors non-fatal in `Planner::build` ([#​12281](astral-sh/uv#12281)) ### [`v0.6.7`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#067) [Compare Source](astral-sh/uv@0.6.6...0.6.7) ##### Python - Add CPython 3.14.0a6 - Fix regression where extension modules would use wrong `CXX` compiler on Linux - Enable FTS3 enhanced query syntax for SQLite See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250317) for more details. ##### Enhancements - Add support for `-c` constraints in `uv add` ([#​12209](astral-sh/uv#12209)) - Add support for `--global` default version in `uv python pin` ([#​12115](astral-sh/uv#12115)) - Always reinstall local source trees passed to `uv pip install` ([#​12176](astral-sh/uv#12176)) - Render token claims on publish permission error ([#​12135](astral-sh/uv#12135)) - Add pip-compatible `--group` flag to `uv pip install` and `uv pip compile` ([#​11686](astral-sh/uv#11686)) ##### Preview features - Avoid creating duplicate directory entries in built wheels ([#​12206](astral-sh/uv#12206)) - Allow overriding module names for editable builds ([#​12137](astral-sh/uv#12137)) ##### Performance - Avoid replicating core-metadata field on `File` struct ([#​12159](astral-sh/uv#12159)) ##### Bug fixes - Add `src` to default cache keys ([#​12062](astral-sh/uv#12062)) - Discard insufficient fork markers ([#​10682](astral-sh/uv#10682)) - Ensure `python pin --global` creates parent directories if missing ([#​12180](astral-sh/uv#12180)) - Fix GraalPy abi tag parsing and discovery ([#​12154](astral-sh/uv#12154)) - Remove extraneous script packages in `uv sync --script` ([#​12158](astral-sh/uv#12158)) - Remove redundant `activate.bat` output ([#​12160](astral-sh/uv#12160)) - Avoid subsequent index hint when no versions are available on the first index ([#​9332](astral-sh/uv#9332)) - Error on lockfiles with incoherent wheel versions ([#​12235](astral-sh/uv#12235)) ##### Rust API - Update `BaseClientBuild` to accept custom proxies ([#​12232](astral-sh/uv#12232)) ##### Documentation - Make testpypi index explicit in example snippet ([#​12148](astral-sh/uv#12148)) - Reverse and format the archived changelogs ([#​12099](astral-sh/uv#12099)) - Use consistent commas around i.e. and e.g. ([#​12157](astral-sh/uv#12157)) - Fix typos in MRE docs ([#​12198](astral-sh/uv#12198)) - Fix double space typo ([#​12171](astral-sh/uv#12171)) ### [`v0.6.6`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#066) [Compare Source](astral-sh/uv@0.6.5...0.6.6) ##### Python - Add support for dynamic musl Python distributions on x86-64 Linux ([#​12121](astral-sh/uv#12121)) - Allow the experimental JIT to be enabled at runtime on Python 3.13 and 3.14 on Linux - Upgrade the build toolchain to LLVM 20, improving performance See the [`python-build-standalone` release notes](https://github.com/astral-sh/python-build-standalone/releases/tag/20250311) for more details. ##### Enhancements - Add `--marker` flag to `uv add` ([#​12012](astral-sh/uv#12012)) - Allow overriding module name for uv build backend ([#​11884](astral-sh/uv#11884)) - Sync latest Python releases ([#​12120](astral-sh/uv#12120)) - Use 'Upload' instead of 'Download' in publish reporter ([#​12029](astral-sh/uv#12029)) - Add `[index].authenticate` allowing authentication to be required on an index ([#​11896](astral-sh/uv#11896)) - Add support for Windows legacy scripts in `uv tool run` ([#​12079](astral-sh/uv#12079)) - Propagate conflicting dependency groups when using `include-group` ([#​12005](astral-sh/uv#12005)) - Show ambiguous requirements when `uv add` failed ([#​12106](astral-sh/uv#12106)) ##### Performance - Cache workspace discovery ([#​12096](astral-sh/uv#12096)) - Insert dependencies into fork state prior to fetching metadata ([#​12057](astral-sh/uv#12057)) - Remove some allocations from `uv-auth` ([#​12077](astral-sh/uv#12077)) ##### Bug fixes - Avoid considering `PATH` updated when the `export` is commented in the shellrc ([#​12043](astral-sh/uv#12043)) - Fix `uv publish` retry on network failures ([#​12041](astral-sh/uv#12041)) - Use a sized stream in `uv publish` to comply with WSGI PyPI server constraints ([#​12111](astral-sh/uv#12111)) - Fix `uv python install --reinstall` when the version was not previously installed ([#​12124](astral-sh/uv#12124)) ##### Preview features - Fix `uv_build` invocation ([#​12058](astral-sh/uv#12058)) ##### Documentation - Quote versions string in `python-versions.md` ([#​12112](astral-sh/uv#12112)) - Fix tool concept page headings ([#​12053](astral-sh/uv#12053)) - Update the `[index].authenticate` docs ([#​12102](astral-sh/uv#12102)) - Update versioning policy ([#​11666](astral-sh/uv#11666)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjIwOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Reject lockfiles where the package version and the wheel versions are incoherent. This implicitly checks that all wheel files have the same version.
It does not check for the source dist version, since a source dist may not contain a version in the filename and attempting to deserialize source dist filenames we may not need is a performance overhead for something that's already slow in
uv run.Fixes #12164
See also #12254