Merge pull request #13690 from dependabot/fix-uv-ignore-conditions-version

markhallen · web-flow · commit 0186f3c53ad0 · 2025-12-02T16:54:18.000+01:00
fix(uv): pass target version to uv lock command to respect ignore conditions
diff --git a/uv/lib/dependabot/uv/file_updater/lock_file_updater.rb b/uv/lib/dependabot/uv/file_updater/lock_file_updater.rb
@@ -285,7 +285,13 @@ def run_update_command
           options_fingerprint = lock_options_fingerprint(options)
 
           # Use pyenv exec to ensure we're using the correct Python environment
-          command = "pyenv exec uv lock --upgrade-package #{T.must(dependency).name} #{options}"
+          # Include the target version to respect ignore conditions and avoid upgrading
+          # to the absolute latest version (which may be blocked by ignore rules)
+          dep_name = T.must(dependency).name
+          dep_version = T.must(dependency).version
+          package_spec = dep_version ? "#{dep_name}==#{dep_version}" : dep_name
+
+          command = "pyenv exec uv lock --upgrade-package #{package_spec} #{options}"
           fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name> #{options_fingerprint}"
 
           run_command(command, fingerprint:)
diff --git a/uv/spec/dependabot/uv/file_updater/lock_file_updater_spec.rb b/uv/spec/dependabot/uv/file_updater/lock_file_updater_spec.rb
@@ -382,7 +382,7 @@
     end
 
     it "includes the expected options in the command and fingerprint" do
-      expected_command = "pyenv exec uv lock --upgrade-package requests " \
+      expected_command = "pyenv exec uv lock --upgrade-package requests==2.23.0 " \
                          "--index https://token@example.com/simple " \
                          "--default-index https://another_token@another.com/simple"
       expected_fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name> " \
@@ -396,6 +396,45 @@
         fingerprint: expected_fingerprint
       )
     end
+
+    context "when dependency version is nil" do
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: "requests",
+          version: nil,
+          requirements: [{
+            file: "pyproject.toml",
+            requirement: ">=2.31.0",
+            groups: [],
+            source: nil
+          }],
+          previous_requirements: [{
+            file: "pyproject.toml",
+            requirement: ">=2.31.0",
+            groups: [],
+            source: nil
+          }],
+          previous_version: nil,
+          package_manager: "uv"
+        )
+      end
+
+      it "uses only the package name without version constraint" do
+        expected_command = "pyenv exec uv lock --upgrade-package requests " \
+                           "--index https://token@example.com/simple " \
+                           "--default-index https://another_token@another.com/simple"
+        expected_fingerprint = "pyenv exec uv lock --upgrade-package <dependency_name> " \
+                               "--index <index> " \
+                               "--default-index <default_index>"
+
+        run_update_command
+
+        expect(updater).to have_received(:run_command).with(
+          expected_command,
+          fingerprint: expected_fingerprint
+        )
+      end
+    end
   end
 
   describe "#replace_dep" do
