Skip to content

chore(deps): floor ranges + update-lockfile — uv owns version resolution#822

Merged
cailmdaley merged 1 commit into
developfrom
chore/renovate-resolver-owns-versions
Jul 14, 2026
Merged

chore(deps): floor ranges + update-lockfile — uv owns version resolution#822
cailmdaley merged 1 commit into
developfrom
chore/renovate-resolver-owns-versions

Conversation

@cailmdaley

Copy link
Copy Markdown
Contributor

Supersedes the pin strategy from #821 after it failed in practice. The pins existed solely to make minimumReleaseAge enforceable with uv (renovatebot/renovate#41624) — but they moved version selection from uv (a real resolver) to Renovate (per-package lookup, no joint resolution). First real consequence: numba 0.65.1 caps numpy<2.5, Renovate proposed numpy 2.5.0 anyway, and the whole grouped batch failed — fixable only by hand-written allowedVersions caps with no signal for when to remove them. Not sustainable.

This PR returns to Astral's recommended Renovate setup for uv projects:

  • pyproject: floor ranges; exact versions live in uv.lock (reverts the pins from chore(renovate): low-noise config — group weekly, automerge non-major #821).
  • Renovate: org-default rangeStrategy=update-lockfileuv lock resolves jointly, so cross-package conflicts resolve silently (numpy stays 2.4.x until numba supports 2.5, then moves on its own) instead of failing PRs.
  • Kept from chore(renovate): low-noise config — group weekly, automerge non-major #821: one weekly grouped non-major PR, automerge on green CI (full suite in the container), lockFileMaintenance, majors individually.
  • python gets its own PR and never automerges (Renovate classes 3.12→3.14 as 'minor'), so the weekly batch isn't held hostage by a Python upgrade.
  • Dropped: minimumReleaseAge and the numpy cap — the supply-chain delay is unenforceable with uv resolution and was the root of the whole pin cascade.

CLAUDE.md and the pyproject comment updated to the floor-range convention.

— Fable on behalf of Cail.

🤖 Generated with Claude Code

https://claude.ai/code/session_013ggNiT4bp685KyB4RraQBE

Revert exact pins back to floor ranges and shrink renovate.json to the
noise levers only. The pin strategy existed solely to make
minimumReleaseAge enforceable with uv (renovatebot/renovate#41624), but
it moved version selection from uv (a real resolver) to Renovate (per-
package lookup, no joint resolution) — so every cross-package conflict
(numba capping numpy<2.5) failed the whole grouped batch and demanded a
hand-written allowedVersions cap with no removal signal. Unsustainable.

With floors + the org-default rangeStrategy=update-lockfile, uv resolves
jointly: numpy quietly stays at 2.4.x until numba supports 2.5, then
moves — no caps, no red batches, self-healing. The supply-chain delay
goes with it (risk repriced as negligible); automerge is gated by full
CI in the container. python gets its own PR and never automerges.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013ggNiT4bp685KyB4RraQBE
@cailmdaley
cailmdaley merged commit 4a19dfc into develop Jul 14, 2026
3 checks passed
cailmdaley added a commit that referenced this pull request Jul 15, 2026
…se of every artifact failure (#841)

The original Dependabot->Renovate migration config at .github/renovate.json5
was never removed when renovate.json was added at the root (#821/#822).
Renovate (and Mend's cached config-file name) kept reading the old file, so
weeks of edits to renovate.json were silently ignored while the json5's
14-day minimumReleaseAge broke every uv artifact update (renovate#41624).
There was never an org-level Mend config layer — just this forgotten file.

One config file now: renovate.json, carrying the low-noise design plus the
json5 pieces worth keeping (ngmix pin guard, Actions digest pinning, OSV/
vulnerability automerge, majors behind dashboard approval). All age gates
gone — fundamentally incompatible with uv-owned resolution. The '0 days'
override from #831 is dropped as moot.


Claude-Session: https://claude.ai/code/session_01VZvom4Uzdoz5KbJeG8yhde

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant