dependabot-uv 0.300.0 → 0.301.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3e306a8d52bca54571baf167605279980eeb625a9dcfbad1128a13de55270936
-  data.tar.gz: 7bd9b6a85cf4e76675eaf401ed285acad0e6e518920e3cd344ae0074fa8a3a2a
+  metadata.gz: f8eea1accc31d49dda91328296fc952b9d49a1e3cfddb443772b1cd794905779
+  data.tar.gz: a6978d2a2679d009129333b785331ee903b19b5ef673bdba89d81a1b8d67473f
 SHA512:
-  metadata.gz: 8a4fb9a0de4405de4e3130e78e917fc41480770e9b2053d7b368bbcfe397d202f12fde5db46edc563047322354abe87ff65a14190560f960b0c93f56e1d7a6fb
-  data.tar.gz: 0f5f35583b805d8a5047bbea2c69db49636759c63f7afc50f0957368d99f5ae874b742ade653f6983e8c5401b34cd0d966b092c14a0ea836993a704fde5f0e63
+  metadata.gz: 5e5c87148fd6d1db52d0a5fe59b6855a2e0fa50396b6613cb01f7d9ef86845b3c191b5b3dd8188f245c1fc230617c44b8f0531bd03fb4f15b695fc60d2674ee5
+  data.tar.gz: 2802f6b46388ca8a30bebfc56cf02594eaff5cf87aed03cf0c79facf0e6f13b62b150426ea2341f636607d2e8f48e899a92724451ffca00d2397c3870ca2c01e

data/lib/dependabot/uv/file_fetcher.rb

@@ -22,19 +22,24 @@ module Dependabot
       CHILD_REQUIREMENT_REGEX = /^-r\s?(?<path>.*\.(?:txt|in))/
       CONSTRAINT_REGEX = /^-c\s?(?<path>.*\.(?:txt|in))/
       DEPENDENCY_TYPES = %w(packages dev-packages).freeze
+      REQUIREMENT_FILE_PATTERNS = {
+        extensions: [".txt", ".in"],
+        filenames: ["uv.lock"]
+      }.freeze
+      MAX_FILE_SIZE = 500_000
 
       def self.required_files_in?(filenames)
-        return true if filenames.any? { |name| name.end_with?(".txt", ".in") }
+        return true if filenames.any? { |name| name.end_with?(*REQUIREMENT_FILE_PATTERNS[:extensions]) }
 
         # If there is a directory of requirements return true
         return true if filenames.include?("requirements")
 
-        # If this repo is using pyproject.toml return true
+        # If this repo is using pyproject.toml return true (uv.lock files require a pyproject.toml)
         filenames.include?("pyproject.toml")
       end
 
       def self.required_files_message
-        "Repo must contain a requirements.txt, requirements.in, or pyproject.toml" \
+        "Repo must contain a requirements.txt, uv.lock, requirements.in, or pyproject.toml" \
       end
 
       def ecosystem_versions
@@ -69,6 +74,7 @@ module Dependabot
         fetched_files += requirements_in_files
         fetched_files += requirement_files if requirements_txt_files.any?
 
+        fetched_files += uv_lock_files
         fetched_files += project_files
         fetched_files << python_version_file if python_version_file
 
@@ -125,6 +131,11 @@ module Dependabot
           child_requirement_in_files
       end
 
+      def uv_lock_files
+        req_txt_and_in_files.select { |f| f.name.end_with?("uv.lock") } +
+          child_uv_lock_files
+      end
+
       def parsed_pyproject
         raise "No pyproject.toml" unless pyproject
 
@@ -137,18 +148,8 @@ module Dependabot
         return @req_txt_and_in_files if @req_txt_and_in_files
 
         @req_txt_and_in_files = []
-
-        repo_contents
-          .select { |f| f.type == "file" }
-          .select { |f| f.name.end_with?(".txt", ".in") }
-          .reject { |f| f.size > 500_000 }
-          .map { |f| fetch_file_from_host(f.name) }
-          .select { |f| requirements_file?(f) }
-          .each { |f| @req_txt_and_in_files << f }
-
-        repo_contents
-          .select { |f| f.type == "dir" }
-          .each { |f| @req_txt_and_in_files += req_files_for_dir(f) }
+        @req_txt_and_in_files += fetch_requirement_files_from_path
+        @req_txt_and_in_files += fetch_requirement_files_from_dirs
 
         @req_txt_and_in_files
       end
@@ -158,12 +159,7 @@ module Dependabot
         relative_reqs_dir =
           requirements_dir.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "")
 
-        repo_contents(dir: relative_reqs_dir)
-          .select { |f| f.type == "file" }
-          .select { |f| f.name.end_with?(".txt", ".in") }
-          .reject { |f| f.size > 500_000 }
-          .map { |f| fetch_file_from_host("#{relative_reqs_dir}/#{f.name}") }
-          .select { |f| requirements_file?(f) }
+        fetch_requirement_files_from_path(relative_reqs_dir)
       end
 
       def child_requirement_txt_files
@@ -174,6 +170,10 @@ module Dependabot
         child_requirement_files.select { |f| f.name.end_with?(".in") }
       end
 
+      def child_uv_lock_files
+        child_requirement_files.select { |f| f.name.end_with?("uv.lock") }
+      end
+
       def child_requirement_files
         @child_requirement_files ||=
           begin
@@ -321,6 +321,36 @@ module Dependabot
       def requirements_in_file_matcher
         @requirements_in_file_matcher ||= RequiremenstFileMatcher.new(requirements_in_files)
       end
+
+      def fetch_requirement_files_from_path(path = nil)
+        contents = path ? repo_contents(dir: path) : repo_contents
+        filter_requirement_files(contents, base_path: path)
+      end
+
+      def fetch_requirement_files_from_dirs
+        repo_contents
+          .select { |f| f.type == "dir" }
+          .flat_map { |dir| req_files_for_dir(dir) }
+      end
+
+      def filter_requirement_files(contents, base_path: nil)
+        contents
+          .select { |f| f.type == "file" }
+          .select { |f| file_matches_requirement_pattern?(f.name) }
+          .reject { |f| f.size > MAX_FILE_SIZE }
+          .map { |f| fetch_file_with_path(f.name, base_path) }
+          .select { |f| REQUIREMENT_FILE_PATTERNS[:filenames].include?(f.name) || requirements_file?(f) }
+      end
+
+      def file_matches_requirement_pattern?(filename)
+        REQUIREMENT_FILE_PATTERNS[:extensions].any? { |ext| filename.end_with?(ext) } ||
+          REQUIREMENT_FILE_PATTERNS[:filenames].any?(filename)
+      end
+
+      def fetch_file_with_path(filename, base_path)
+        path = base_path ? File.join(base_path, filename) : filename
+        fetch_file_from_host(path)
+      end
     end
   end
 end

data/lib/dependabot/uv/file_parser.rb

@@ -14,6 +14,7 @@ require "dependabot/uv/name_normaliser"
 require "dependabot/uv/requirements_file_matcher"
 require "dependabot/uv/language_version_manager"
 require "dependabot/uv/package_manager"
+require "toml-rb"
 
 module Dependabot
   module Uv
@@ -47,6 +48,7 @@ module Dependabot
         dependency_set = DependencySet.new
 
         dependency_set += pyproject_file_dependencies if pyproject
+        dependency_set += uv_lock_file_dependencies
         dependency_set += requirement_dependencies if requirement_files.any?
 
         dependency_set.dependencies
@@ -64,6 +66,12 @@ module Dependabot
         )
       end
 
+      # Normalize dependency names to match the PyPI index normalization
+      sig { params(name: String, extras: T::Array[String]).returns(String) }
+      def self.normalize_dependency_name(name, extras = [])
+        NameNormaliser.normalise_including_extras(name, extras)
+      end
+
       private
 
       sig { returns(LanguageVersionManager) }
@@ -164,6 +172,36 @@ module Dependabot
         dependency_files.select { |f| f.name.end_with?(".txt", ".in") }
       end
 
+      sig { returns(T::Array[DependencyFile]) }
+      def uv_lock_files
+        dependency_files.select { |f| f.name == "uv.lock" }
+      end
+
+      sig { returns(DependencySet) }
+      def uv_lock_file_dependencies
+        dependency_set = DependencySet.new
+
+        uv_lock_files.each do |file|
+          lockfile_content = TomlRB.parse(file.content)
+          packages = lockfile_content.fetch("package", [])
+
+          packages.each do |package_data|
+            next unless package_data.is_a?(Hash) && package_data["name"] && package_data["version"]
+
+            dependency_set << Dependency.new(
+              name: normalised_name(package_data["name"]),
+              version: package_data["version"],
+              requirements: [], # Lock files don't contain requirements
+              package_manager: "uv"
+            )
+          end
+        rescue StandardError => e
+          Dependabot.logger.warn("Error parsing uv.lock: #{e.message}")
+        end
+
+        dependency_set
+      end
+
       sig { returns(DependencySet) }
       def pyproject_file_dependencies
         @pyproject_file_dependencies ||= T.let(PyprojectFilesParser.new(dependency_files:
@@ -341,7 +379,7 @@ module Dependabot
 
       sig { params(name: String, extras: T::Array[String]).returns(String) }
       def normalised_name(name, extras = [])
-        NameNormaliser.normalise_including_extras(name, extras)
+        FileParser.normalize_dependency_name(name, extras)
       end
 
       sig { override.returns(T.untyped) }

data/lib/dependabot/uv/file_updater/lock_file_updater.rb

@@ -0,0 +1,392 @@
+# typed: true
+# frozen_string_literal: true
+
+require "toml-rb"
+require "open3"
+require "dependabot/dependency"
+require "dependabot/shared_helpers"
+require "dependabot/uv/language_version_manager"
+require "dependabot/uv/version"
+require "dependabot/uv/requirement"
+require "dependabot/uv/file_parser/python_requirement_parser"
+require "dependabot/uv/file_updater"
+require "dependabot/uv/native_helpers"
+require "dependabot/uv/name_normaliser"
+
+module Dependabot
+  module Uv
+    class FileUpdater
+      class LockFileUpdater
+        require_relative "pyproject_preparer"
+
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :credentials
+        attr_reader :index_urls
+
+        def initialize(dependencies:, dependency_files:, credentials:, index_urls: nil)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @index_urls = index_urls
+        end
+
+        def updated_dependency_files
+          @updated_dependency_files ||= fetch_updated_dependency_files
+        end
+
+        private
+
+        def dependency
+          # For now, we'll only ever be updating a single dependency
+          dependencies.first
+        end
+
+        def fetch_updated_dependency_files
+          updated_files = []
+
+          if file_changed?(pyproject)
+            updated_files <<
+              updated_file(
+                file: pyproject,
+                content: updated_pyproject_content
+              )
+          end
+
+          if lockfile
+            # Use updated_lockfile_content which might raise if the lockfile doesn't change
+            new_content = updated_lockfile_content
+            raise "Expected lockfile to change!" if lockfile.content == new_content
+
+            updated_files << updated_file(file: lockfile, content: new_content)
+          end
+
+          updated_files
+        end
+
+        def updated_pyproject_content
+          content = pyproject.content
+          return content unless file_changed?(pyproject)
+
+          updated_content = content.dup
+
+          dependency.requirements.zip(dependency.previous_requirements).each do |new_r, old_r|
+            next unless new_r[:file] == pyproject.name && old_r[:file] == pyproject.name
+
+            updated_content = replace_dep(dependency, updated_content, new_r, old_r)
+          end
+
+          raise DependencyFileContentNotChanged, "Content did not change!" if content == updated_content
+
+          updated_content
+        end
+
+        def replace_dep(dep, content, new_r, old_r)
+          new_req = new_r[:requirement]
+          old_req = old_r[:requirement]
+
+          declaration_regex = declaration_regex(dep, old_r)
+          declaration_match = content.match(declaration_regex)
+          if declaration_match
+            declaration = declaration_match[:declaration]
+            new_declaration = declaration.sub(old_req, new_req)
+            content.sub(declaration, new_declaration)
+          else
+            content
+          end
+        end
+
+        def updated_lockfile_content
+          @updated_lockfile_content ||=
+            begin
+              original_content = lockfile.content
+              # Extract the original requires-python value to preserve it
+              original_requires_python = original_content
+                                         .match(/requires-python\s*=\s*["']([^"']+)["']/)&.captures&.first
+
+              # Use the original Python version requirement for the update if one exists
+              with_original_python_version(original_requires_python) do
+                new_lockfile = updated_lockfile_content_for(prepared_pyproject)
+
+                # Use direct string replacement to preserve the exact format
+                # Match the dependency section and update only the version
+                dependency_section_pattern = /
+                  (\[\[package\]\]\s*\n
+                   .*?name\s*=\s*["']#{Regexp.escape(dependency.name)}["']\s*\n
+                   .*?)
+                  (version\s*=\s*["'][^"']+["'])
+                  (.*?)
+                  (\[\[package\]\]|\z)
+                /xm
+
+                result = original_content.sub(dependency_section_pattern) do
+                  section_start = Regexp.last_match(1)
+                  version_line = "version = \"#{dependency.version}\""
+                  section_end = Regexp.last_match(3)
+                  next_section_or_end = Regexp.last_match(4)
+
+                  "#{section_start}#{version_line}#{section_end}#{next_section_or_end}"
+                end
+
+                # If the content didn't change and we expect it to, something went wrong
+                if result == original_content
+                  Dependabot.logger.warn("Package section not found for #{dependency.name}, falling back to raw update")
+                  result = new_lockfile
+                end
+
+                # Restore the original requires-python if it exists
+                if original_requires_python
+                  result = result.gsub(/requires-python\s*=\s*["'][^"']+["']/,
+                                       "requires-python = \"#{original_requires_python}\"")
+                end
+
+                result
+              end
+            end
+        end
+
+        # Helper method to temporarily override Python version during operations
+        def with_original_python_version(original_requires_python)
+          if original_requires_python
+            original_python_version = @original_python_version
+            @original_python_version = original_requires_python
+            result = yield
+            @original_python_version = original_python_version
+            result
+          else
+            yield
+          end
+        end
+
+        def prepared_pyproject
+          @prepared_pyproject ||=
+            begin
+              content = updated_pyproject_content
+              content = sanitize(content)
+              content = freeze_other_dependencies(content)
+              content = update_python_requirement(content)
+              content
+            end
+        end
+
+        def freeze_other_dependencies(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content, lockfile: lockfile)
+            .freeze_top_level_dependencies_except(dependencies)
+        end
+
+        def update_python_requirement(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content)
+            .update_python_requirement(language_version_manager.python_version)
+        end
+
+        def sanitize(pyproject_content)
+          PyprojectPreparer
+            .new(pyproject_content: pyproject_content)
+            .sanitize
+        end
+
+        def updated_lockfile_content_for(pyproject_content)
+          SharedHelpers.in_a_temporary_directory do
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              write_temporary_dependency_files(pyproject_content)
+
+              # Install Python before writing .python-version to make sure we use a version that's available
+              language_version_manager.install_required_python
+
+              # Determine the Python version to use after installation
+              python_version = determine_python_version
+
+              # Now write the .python-version file with a version we know is installed
+              File.write(".python-version", python_version)
+
+              run_update_command
+
+              File.read("uv.lock")
+            end
+          end
+        end
+
+        def run_update_command
+          command = "pyenv exec uv lock --upgrade-package #{dependency.name}"
+          fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name>"
+
+          run_command(command, fingerprint:)
+        end
+
+        def run_command(command, fingerprint: nil)
+          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        end
+
+        def write_temporary_dependency_files(pyproject_content)
+          dependency_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, file.content)
+          end
+
+          # Only write the .python-version file after the language version manager has
+          # installed the required Python version to ensure it's available
+          # Overwrite the pyproject with updated content
+          File.write("pyproject.toml", pyproject_content)
+        end
+
+        def determine_python_version
+          # Check available Python versions through pyenv
+          available_versions = nil
+          begin
+            available_versions = SharedHelpers.run_shell_command("pyenv versions --bare")
+                                              .split("\n")
+                                              .map(&:strip)
+                                              .reject(&:empty?)
+          rescue StandardError => e
+            Dependabot.logger.warn("Error checking available Python versions: #{e}")
+          end
+
+          # Try to find the closest match for our priority order
+          preferred_version = find_preferred_version(available_versions)
+
+          if preferred_version
+            # Just return the major.minor version string
+            preferred_version.match(/^(\d+\.\d+)/)[1]
+          else
+            # If all else fails, use "system" which should work with whatever Python is available
+            "system"
+          end
+        end
+
+        def find_preferred_version(available_versions)
+          return nil unless available_versions&.any?
+
+          # Try each strategy in order of preference
+          try_version_from_file(available_versions) ||
+            try_version_from_requires_python(available_versions) ||
+            try_highest_python3_version(available_versions)
+        end
+
+        def try_version_from_file(available_versions)
+          python_version_file = dependency_files.find { |f| f.name == ".python-version" }
+          return nil unless python_version_file && !python_version_file.content.strip.empty?
+
+          requested_version = python_version_file.content.strip
+          return requested_version if version_available?(available_versions, requested_version)
+
+          Dependabot.logger.info("Python version #{requested_version} from .python-version not available")
+          nil
+        end
+
+        def try_version_from_requires_python(available_versions)
+          return nil unless @original_python_version
+
+          version_match = @original_python_version.match(/(\d+\.\d+)/)
+          return nil unless version_match
+
+          requested_version = version_match[1]
+          return requested_version if version_available?(available_versions, requested_version)
+
+          Dependabot.logger.info("Python version #{requested_version} from requires-python not available")
+          nil
+        end
+
+        def try_highest_python3_version(available_versions)
+          python3_versions = available_versions
+                             .select { |v| v.match(/^3\.\d+/) }
+                             .sort_by { |v| Gem::Version.new(v.match(/^(\d+\.\d+)/)[1]) }
+                             .reverse
+
+          python3_versions.first # returns nil if array is empty
+        end
+
+        def version_available?(available_versions, requested_version)
+          # Check if the exact version or a version with the same major.minor is available
+          available_versions.any? do |v|
+            v == requested_version || v.start_with?("#{requested_version}.")
+          end
+        end
+
+        def sanitize_env_name(url)
+          url.gsub(%r{^https?://}, "").gsub(/[^a-zA-Z0-9]/, "_").upcase
+        end
+
+        def declaration_regex(dep, old_req)
+          escaped_name = Regexp.escape(dep.name)
+          # Extract the requirement operator and version
+          operator = old_req.fetch(:requirement).match(/^(.+?)[0-9]/)&.captures&.first
+          # Escape special regex characters in the operator
+          escaped_operator = Regexp.escape(operator) if operator
+
+          # Match various formats of dependency declarations:
+          # 1. "dependency==1.0.0" (with quotes around the entire string)
+          # 2. dependency==1.0.0 (without quotes)
+          # The declaration should only include the package name, operator, and version
+          # without the enclosing quotes
+          /
+            ["']?(?<declaration>#{escaped_name}\s*#{escaped_operator}[\d\.\*]+)["']?
+          /x
+        end
+
+        def escape(name)
+          Regexp.escape(name).gsub("\\-", "[-_.]")
+        end
+
+        def file_changed?(file)
+          return false unless file
+
+          dependencies.any? do |dep|
+            dep.requirements.any? { |r| r[:file] == file.name } &&
+              requirement_changed?(file, dep)
+          end
+        end
+
+        def requirement_changed?(file, dependency)
+          changed_requirements =
+            dependency.requirements - dependency.previous_requirements
+
+          changed_requirements.any? { |f| f[:file] == file.name }
+        end
+
+        def updated_file(file:, content:)
+          updated_file = file.dup
+          updated_file.content = content
+          updated_file
+        end
+
+        def normalise(name)
+          NameNormaliser.normalise(name)
+        end
+
+        def python_requirement_parser
+          @python_requirement_parser ||=
+            FileParser::PythonRequirementParser.new(
+              dependency_files: dependency_files
+            )
+        end
+
+        def language_version_manager
+          @language_version_manager ||=
+            LanguageVersionManager.new(
+              python_requirement_parser: python_requirement_parser
+            )
+        end
+
+        def pyproject
+          @pyproject ||=
+            dependency_files.find { |f| f.name == "pyproject.toml" }
+        end
+
+        def lockfile
+          @lockfile ||= uv_lock
+        end
+
+        def python_helper_path
+          NativeHelpers.python_helper_path
+        end
+
+        def uv_lock
+          dependency_files.find { |f| f.name == "uv.lock" }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/uv/file_updater/pyproject_preparer.rb

@@ -19,104 +19,124 @@ module Dependabot
           @lockfile = lockfile
         end
 
-        # For hosted Dependabot token will be nil since the credentials aren't present.
-        # This is for those running Dependabot themselves and for dry-run.
-        def add_auth_env_vars(credentials)
-          TomlRB.parse(@pyproject_content).dig("tool", "poetry", "source")&.each do |source|
-            cred = credentials&.find { |c| c["index-url"] == source["url"] }
-            next unless cred
-
-            token = cred.fetch("token", nil)
-            next unless token && token.count(":") == 1
-
-            arr = token.split(":")
-            # https://python-poetry.org/docs/configuration/#using-environment-variables
-            name = source["name"]&.upcase&.gsub(/\W/, "_")
-            ENV["POETRY_HTTP_BASIC_#{name}_USERNAME"] = arr[0]
-            ENV["POETRY_HTTP_BASIC_#{name}_PASSWORD"] = arr[1]
+        def freeze_top_level_dependencies_except(dependencies_to_update)
+          return @pyproject_content unless lockfile
+
+          pyproject_object = TomlRB.parse(@pyproject_content)
+          deps_to_update_names = dependencies_to_update.map(&:name)
+
+          if pyproject_object["project"]&.key?("dependencies")
+            locked_deps = parsed_lockfile_dependencies || {}
+
+            pyproject_object["project"]["dependencies"] =
+              pyproject_object["project"]["dependencies"].map do |dep_string|
+                freeze_dependency(dep_string, deps_to_update_names, locked_deps)
+              end
           end
+
+          TomlRB.dump(pyproject_object)
         end
 
-        def update_python_requirement(requirement)
+        def update_python_requirement(python_version)
+          return @pyproject_content unless python_version
+
           pyproject_object = TomlRB.parse(@pyproject_content)
-          if (python_specification = pyproject_object.dig("tool", "poetry", "dependencies", "python"))
-            python_req = Uv::Requirement.new(python_specification)
-            unless python_req.satisfied_by?(requirement)
-              pyproject_object["tool"]["poetry"]["dependencies"]["python"] = "~#{requirement}"
-            end
+
+          if pyproject_object["project"]&.key?("requires-python")
+            pyproject_object["project"]["requires-python"] = ">=#{python_version}"
           end
+
           TomlRB.dump(pyproject_object)
         end
 
-        def sanitize
-          # {{ name }} syntax not allowed
-          pyproject_content
-            .gsub(/\{\{.*?\}\}/, "something")
-            .gsub('#{', "{")
-        end
+        def add_auth_env_vars(credentials)
+          return unless credentials
 
-        # rubocop:disable Metrics/PerceivedComplexity
-        # rubocop:disable Metrics/AbcSize
-        def freeze_top_level_dependencies_except(dependencies)
-          return pyproject_content unless lockfile
-
-          pyproject_object = TomlRB.parse(pyproject_content)
-          poetry_object = pyproject_object["tool"]["poetry"]
-          excluded_names = dependencies.map(&:name) + ["python"]
-
-          Dependabot::Uv::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
-            next unless poetry_object[key]
-
-            source_types = %w(directory file url)
-            poetry_object.fetch(key).each do |dep_name, _|
-              next if excluded_names.include?(normalise(dep_name))
-
-              locked_details = locked_details(dep_name)
-
-              next unless (locked_version = locked_details&.fetch("version"))
-
-              next if source_types.include?(locked_details&.dig("source", "type"))
-
-              if locked_details&.dig("source", "type") == "git"
-                poetry_object[key][dep_name] = {
-                  "git" => locked_details&.dig("source", "url"),
-                  "rev" => locked_details&.dig("source", "reference")
-                }
-                subdirectory = locked_details&.dig("source", "subdirectory")
-                poetry_object[key][dep_name]["subdirectory"] = subdirectory if subdirectory
-              elsif poetry_object[key][dep_name].is_a?(Hash)
-                poetry_object[key][dep_name]["version"] = locked_version
-              elsif poetry_object[key][dep_name].is_a?(Array)
-                # if it has multiple-constraints, locking to a single version is
-                # going to result in a bad lockfile, ignore
-                next
-              else
-                poetry_object[key][dep_name] = locked_version
-              end
-            end
+          credentials.each do |credential|
+            next unless credential["type"] == "python_index"
+
+            token = credential["token"]
+            index_url = credential["index-url"]
+
+            next unless token && index_url
+
+            # Set environment variables for uv auth
+            ENV["UV_INDEX_URL_TOKEN_#{sanitize_env_name(index_url)}"] = token
+
+            # Also set pip-style credentials for compatibility
+            ENV["PIP_INDEX_URL"] ||= "https://#{token}@#{index_url.gsub(%r{^https?://}, '')}"
           end
+        end
 
-          TomlRB.dump(pyproject_object)
+        def sanitize
+          # No special sanitization needed for UV files at this point
+          @pyproject_content
         end
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/PerceivedComplexity
 
         private
 
-        attr_reader :pyproject_content
         attr_reader :lockfile
 
-        def locked_details(dep_name)
-          parsed_lockfile.fetch("package")
-                         .find { |d| d["name"] == normalise(dep_name) }
+        def parsed_lockfile
+          @parsed_lockfile ||= lockfile ? parse_lockfile(lockfile.content) : {}
         end
 
-        def normalise(name)
-          NameNormaliser.normalise(name)
+        def parse_lockfile(content)
+          TomlRB.parse(content)
+        rescue TomlRB::ParseError
+          {} # Return empty hash if parsing fails
         end
 
-        def parsed_lockfile
-          @parsed_lockfile ||= TomlRB.parse(lockfile.content)
+        def parsed_lockfile_dependencies
+          return {} unless lockfile
+
+          deps = {}
+          parsed = parsed_lockfile
+
+          # Handle UV lock format (version 1)
+          if parsed["version"] == 1 && parsed["package"].is_a?(Array)
+            parsed["package"].each do |pkg|
+              next unless pkg["name"] && pkg["version"]
+
+              deps[pkg["name"]] = { "version" => pkg["version"] }
+            end
+          # Handle traditional Poetry-style lock format
+          elsif parsed["dependencies"]
+            deps = parsed["dependencies"]
+          end
+
+          deps
+        end
+
+        def locked_version_for_dep(locked_deps, dep_name)
+          locked_deps.each do |name, details|
+            next unless Uv::FileParser.normalize_dependency_name(name) == dep_name
+            return details["version"] if details.is_a?(Hash) && details["version"]
+          end
+          nil
+        end
+
+        def sanitize_env_name(url)
+          url.gsub(%r{^https?://}, "").gsub(/[^a-zA-Z0-9]/, "_").upcase
+        end
+
+        def freeze_dependency(dep_string, deps_to_update_names, locked_deps)
+          package_name = dep_string.split(/[=>~<\[]/).first.strip
+          normalized_name = Uv::FileParser.normalize_dependency_name(package_name)
+
+          return dep_string if deps_to_update_names.include?(normalized_name)
+
+          version = locked_version_for_dep(locked_deps, normalized_name)
+          return dep_string unless version
+
+          if dep_string.include?("=") || dep_string.include?(">") ||
+             dep_string.include?("<") || dep_string.include?("~")
+            # Replace version constraint with exact version
+            dep_string.sub(/[=>~<\[].*$/, "==#{version}")
+          else
+            # Simple dependency, just append version
+            "#{dep_string}==#{version}"
+          end
         end
       end
     end

data/lib/dependabot/uv/file_updater.rb

@@ -13,6 +13,7 @@ module Dependabot
       extend T::Sig
 
       require_relative "file_updater/compile_file_updater"
+      require_relative "file_updater/lock_file_updater"
       require_relative "file_updater/requirement_file_updater"
 
       sig { override.returns(T::Array[Regexp]) }
@@ -20,13 +21,15 @@ module Dependabot
         [
           /^.*\.txt$/,               # Match any .txt files (e.g., requirements.txt) at any level
           /^.*\.in$/,                # Match any .in files at any level
-          /^.*pyproject\.toml$/      # Match pyproject.toml at any level
+          /^.*pyproject\.toml$/,     # Match pyproject.toml at any level
+          /^.*uv\.lock$/             # Match uv.lock at any level
         ]
       end
 
       sig { override.returns(T::Array[DependencyFile]) }
       def updated_dependency_files
         updated_files = updated_pip_compile_based_files
+        updated_files += updated_uv_lock_files
 
         if updated_files.none? ||
            updated_files.sort_by(&:name) == dependency_files.sort_by(&:name)
@@ -65,6 +68,16 @@ module Dependabot
         ).updated_dependency_files
       end
 
+      sig { returns(T::Array[DependencyFile]) }
+      def updated_uv_lock_files
+        LockFileUpdater.new(
+          dependencies: dependencies,
+          dependency_files: dependency_files,
+          credentials: credentials,
+          index_urls: pip_compile_index_urls
+        ).updated_dependency_files
+      end
+
       sig { returns(T::Array[String]) }
       def pip_compile_index_urls
         if credentials.any?(&:replaces_base?)

data/lib/dependabot/uv/update_checker/lock_file_resolver.rb

@@ -0,0 +1,48 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/uv/version"
+require "dependabot/uv/requirement"
+require "dependabot/uv/update_checker"
+
+module Dependabot
+  module Uv
+    class UpdateChecker
+      class LockFileResolver
+        def initialize(dependency:, dependency_files:, credentials:, repo_contents_path: nil)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @repo_contents_path = repo_contents_path
+        end
+
+        def latest_resolvable_version(requirement:)
+          return nil unless requirement
+
+          req = Uv::Requirement.new(requirement)
+
+          # Get the version from the dependency if available
+          version_from_dependency = dependency.version && Uv::Version.new(dependency.version)
+          return version_from_dependency if version_from_dependency && req.satisfied_by?(version_from_dependency)
+
+          nil
+        end
+
+        def resolvable?(*)
+          true
+        end
+
+        def lowest_resolvable_security_fix_version
+          nil
+        end
+
+        private
+
+        attr_reader :dependency
+        attr_reader :dependency_files
+        attr_reader :credentials
+        attr_reader :repo_contents_path
+      end
+    end
+  end
+end

data/lib/dependabot/uv/update_checker.rb

@@ -21,6 +21,7 @@ module Dependabot
       require_relative "update_checker/pip_version_resolver"
       require_relative "update_checker/requirements_updater"
       require_relative "update_checker/latest_version_finder"
+      require_relative "update_checker/lock_file_resolver"
 
       MAIN_PYPI_INDEXES = %w(
         https://pypi.python.org/simple/
@@ -118,6 +119,7 @@ module Dependabot
         case resolver_type
         when :pip_compile then pip_compile_version_resolver
         when :requirements then pip_version_resolver
+        when :lock_file then lock_file_resolver
         else raise "Unexpected resolver type #{resolver_type}"
         end
       end
@@ -134,6 +136,7 @@ module Dependabot
         # which resolver to use based on the filename of its requirements
         return :requirements if updating_pyproject?
         return :pip_compile if updating_in_file?
+        return :lock_file if updating_uv_lock?
 
         if dependency.version && !exact_requirement?(reqs)
           subdependency_resolver
@@ -171,6 +174,10 @@ module Dependabot
         )
       end
 
+      def lock_file_resolver
+        @lock_file_resolver ||= LockFileResolver.new(**resolver_args)
+      end
+
       def resolver_args
         {
           dependency: dependency,
@@ -187,7 +194,7 @@ module Dependabot
         requirement = reqs.find do |r|
           file = r[:file]
 
-          file == "Pipfile" || file == "pyproject.toml" || file.end_with?(".in") || file.end_with?(".txt")
+          file == "uv.lock" || file == "pyproject.toml" || file.end_with?(".in") || file.end_with?(".txt")
         end
 
         requirement&.fetch(:requirement)
@@ -267,6 +274,10 @@ module Dependabot
         requirement_files.any? { |f| f.end_with?(".in") }
       end
 
+      def updating_uv_lock?
+        requirement_files.any?("uv.lock")
+      end
+
       def requirements_text_file?
         requirement_files.any? { |f| f.end_with?("requirements.txt") }
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-uv
 version: !ruby/object:Gem::Version
-  version: 0.300.0
+  version: 0.301.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-06 00:00:00.000000000 Z
+date: 2025-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.300.0
+        version: 0.301.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.300.0
+        version: 0.301.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -257,6 +257,7 @@ files:
 - lib/dependabot/uv/file_parser/setup_file_parser.rb
 - lib/dependabot/uv/file_updater.rb
 - lib/dependabot/uv/file_updater/compile_file_updater.rb
+- lib/dependabot/uv/file_updater/lock_file_updater.rb
 - lib/dependabot/uv/file_updater/pyproject_preparer.rb
 - lib/dependabot/uv/file_updater/requirement_file_updater.rb
 - lib/dependabot/uv/file_updater/requirement_replacer.rb
@@ -273,6 +274,7 @@ files:
 - lib/dependabot/uv/update_checker.rb
 - lib/dependabot/uv/update_checker/index_finder.rb
 - lib/dependabot/uv/update_checker/latest_version_finder.rb
+- lib/dependabot/uv/update_checker/lock_file_resolver.rb
 - lib/dependabot/uv/update_checker/pip_compile_version_resolver.rb
 - lib/dependabot/uv/update_checker/pip_version_resolver.rb
 - lib/dependabot/uv/update_checker/requirements_updater.rb
@@ -282,7 +284,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.300.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.301.0
 post_install_message:
 rdoc_options: []
 require_paths: