Skip to content

fix(ci): switch Dependabot Python ecosystem from uv to pip#39726

Merged
dpgaspar merged 3 commits intoapache:masterfrom
preset-io:fix/dependabot-pip-ecosystem
Apr 29, 2026
Merged

fix(ci): switch Dependabot Python ecosystem from uv to pip#39726
dpgaspar merged 3 commits intoapache:masterfrom
preset-io:fix/dependabot-pip-ecosystem

Conversation

@dpgaspar
Copy link
Copy Markdown
Member

@dpgaspar dpgaspar commented Apr 28, 2026

SUMMARY

The uv package ecosystem support in Dependabot is still in beta and has been unreliable — Dependabot alerts for Python dependencies hang indefinitely when attempting to open PRs (e.g. https://github.com/apache/superset/security/dependabot/1150).

This switches the Python dependency section from uv to pip, which natively understands requirements/*.txt files. The uv ecosystem primarily targets projects with a uv.lock file, which this project doesn't use (we use uv pip compile to generate .txt files).

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A

TESTING INSTRUCTIONS

  • After merge, verify that Dependabot can successfully create PRs for Python dependency updates
  • Check the Dependabot security tab for any previously stuck Python alerts

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@dpgaspar @claude
fix(ci): switch Dependabot Python ecosystem from uv to pip
7917675 
The uv ecosystem support in Dependabot is still in beta and has been
unreliable for this project's setup (uv pip compile-generated .txt files
without a uv.lock). Switching to the pip ecosystem which natively
understands requirements/*.txt files.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bito-code-review
Copy link
Copy Markdown
Contributor

bito-code-review Bot commented Apr 28, 2026
edited
Loading

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

@dosubot dosubot Bot added dependencies:python github_actions Pull requests that update GitHub Actions code labels Apr 28, 2026
@github-actions github-actions Bot removed github_actions Pull requests that update GitHub Actions code dependencies:python labels Apr 28, 2026
rusackas
rusackas approved these changes Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rusackas rusackas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dpgaspar dpgaspar merged commit eba08ae into apache:master Apr 29, 2026
61 checks passed
@dpgaspar dpgaspar deleted the fix/dependabot-pip-ecosystem branch April 29, 2026 11:30
devin-ai-integration Bot pushed a commit to jeevi/superset that referenced this pull request Apr 29, 2026
@dpgaspar @claude @devin-ai-integration
fix(ci): switch Dependabot Python ecosystem from uv to pip (apache#39726
87048d5 
)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devin-ai-integration Bot pushed a commit to jeevi/superset that referenced this pull request Apr 29, 2026
@dpgaspar @claude @devin-ai-integration
fix(ci): switch Dependabot Python ecosystem from uv to pip (apache#39726
ac3833c 
)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bito-code-review
Copy link
Copy Markdown
Contributor

bito-code-review Bot commented Apr 29, 2026

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rusackas rusackas rusackas approved these changes

@villebro villebro Awaiting requested review from villebro villebro is a code owner

@geido geido Awaiting requested review from geido geido is a code owner

@eschutho eschutho Awaiting requested review from eschutho eschutho is a code owner

@betodealmeida betodealmeida Awaiting requested review from betodealmeida betodealmeida is a code owner

@nytai nytai Awaiting requested review from nytai nytai is a code owner

@mistercrunch mistercrunch Awaiting requested review from mistercrunch mistercrunch is a code owner

@craig-rueda craig-rueda Awaiting requested review from craig-rueda craig-rueda is a code owner

@kgabryje kgabryje Awaiting requested review from kgabryje kgabryje is a code owner

@sadpandajoe sadpandajoe Awaiting requested review from sadpandajoe sadpandajoe is a code owner

@hainenber hainenber Awaiting requested review from hainenber hainenber is a code owner

Assignees

No one assigned

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dpgaspar @rusackas