chore(deps): floor ranges + update-lockfile — uv owns version resolution#822
Merged
Merged
Conversation
Revert exact pins back to floor ranges and shrink renovate.json to the noise levers only. The pin strategy existed solely to make minimumReleaseAge enforceable with uv (renovatebot/renovate#41624), but it moved version selection from uv (a real resolver) to Renovate (per- package lookup, no joint resolution) — so every cross-package conflict (numba capping numpy<2.5) failed the whole grouped batch and demanded a hand-written allowedVersions cap with no removal signal. Unsustainable. With floors + the org-default rangeStrategy=update-lockfile, uv resolves jointly: numpy quietly stays at 2.4.x until numba supports 2.5, then moves — no caps, no red batches, self-healing. The supply-chain delay goes with it (risk repriced as negligible); automerge is gated by full CI in the container. python gets its own PR and never automerges. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013ggNiT4bp685KyB4RraQBE
cailmdaley
added a commit
that referenced
this pull request
Jul 15, 2026
…se of every artifact failure (#841) The original Dependabot->Renovate migration config at .github/renovate.json5 was never removed when renovate.json was added at the root (#821/#822). Renovate (and Mend's cached config-file name) kept reading the old file, so weeks of edits to renovate.json were silently ignored while the json5's 14-day minimumReleaseAge broke every uv artifact update (renovate#41624). There was never an org-level Mend config layer — just this forgotten file. One config file now: renovate.json, carrying the low-noise design plus the json5 pieces worth keeping (ngmix pin guard, Actions digest pinning, OSV/ vulnerability automerge, majors behind dashboard approval). All age gates gone — fundamentally incompatible with uv-owned resolution. The '0 days' override from #831 is dropped as moot. Claude-Session: https://claude.ai/code/session_01VZvom4Uzdoz5KbJeG8yhde Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes the pin strategy from #821 after it failed in practice. The pins existed solely to make
minimumReleaseAgeenforceable with uv (renovatebot/renovate#41624) — but they moved version selection from uv (a real resolver) to Renovate (per-package lookup, no joint resolution). First real consequence: numba 0.65.1 caps numpy<2.5, Renovate proposed numpy 2.5.0 anyway, and the whole grouped batch failed — fixable only by hand-writtenallowedVersionscaps with no signal for when to remove them. Not sustainable.This PR returns to Astral's recommended Renovate setup for uv projects:
uv.lock(reverts the pins from chore(renovate): low-noise config — group weekly, automerge non-major #821).rangeStrategy=update-lockfile—uv lockresolves jointly, so cross-package conflicts resolve silently (numpy stays 2.4.x until numba supports 2.5, then moves on its own) instead of failing PRs.lockFileMaintenance, majors individually.minimumReleaseAgeand the numpy cap — the supply-chain delay is unenforceable with uv resolution and was the root of the whole pin cascade.CLAUDE.md and the pyproject comment updated to the floor-range convention.
— Fable on behalf of Cail.
🤖 Generated with Claude Code
https://claude.ai/code/session_013ggNiT4bp685KyB4RraQBE