Support updating `uv.lock`

[edgarrmondragon]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Now that uv has a lockfile, it would be nice if dependabot supported making updates to pyproject.toml and/or uv.lock using uv.

Related:

• Support python uv as pip-compile compatible replacement #10039
• Support uv compiled requirements files #10040
• Python: Support PEP 735 [dependency-groups] in pyproject.toml #10847
• Python: Support inline script metadata (PEP 723) #11946

[dvf]

Hell ye 🙌

[danieltalsky]

We're stuck with Dependabot due to corporate reasons and we'd love Dependabot support for uv.lock files as soon as possible.

[EdmundGoodman]

This has also blocked us, so +1 for prioritising this.

As a stopgap in the meantime, I've hacked together a small GitHub Actions workflow which provides fairly similar functionality to unblock our project whilst we wait. A small demo is available here https://github.com/EdmundGoodman/update-bot if it is helpful to anyone else.

It slightly differs from dependabot in that it makes a PR on a cron schedule if any dependency can be updated rather than whenever a security vulnerability is found, but is good enough for us for now. It differs from other workflows I've seen in this thread, as it PRs rather than just directly committing to main which could break things.