Skip to content

fix: pin all dependencies in the pyproject.toml file#2856

Draft
scottschreckengaust wants to merge 2 commits intoawslabs:mainfrom
scottschreckengaust:main
Draft

fix: pin all dependencies in the pyproject.toml file#2856
scottschreckengaust wants to merge 2 commits intoawslabs:mainfrom
scottschreckengaust:main

Conversation

@scottschreckengaust
Copy link
Copy Markdown
Member

@scottschreckengaust scottschreckengaust commented Apr 3, 2026
edited
Loading

Fixes

Summary

uvx's emphemoral virtual environment doesn't read the uv.lock that is distributed to PyPi. This updates the pyproject.toml dynamically to pinned versions from the uv.lock.

Changes

Please provide a summary of what's being changed

Run the script prior to distributing releases.

User experience

Please share what the user experience looks like before and after this change

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have reviewed the contributing guidelines
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Is this a breaking change? (Y/N)

RFC issue number:

Checklist:

  • Migration process documented
  • Implement warnings (if it can live side by side)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

scottschreckengaust and others added 2 commits April 2, 2026 17:18
@scottschreckengaust @claude
feat: pin dependencies from uv.lock during PyPI release (#74)
adc327b 
* feat: pin dependencies from uv.lock before PyPI build

When packages are published to PyPI, loose dependency specifiers (>=)
allow transitive dependency versions to drift from the tested lockfile
resolution. This causes issues when tools like `uvx` resolve fresh
against PyPI and install different (potentially breaking) versions.

Add a `pin-dependencies` command to release.py that reads uv.lock and
rewrites pyproject.toml dependencies to exact (==) version pins before
building the wheel. The pinning happens only during the CI build step,
so the git repo keeps loose deps for development flexibility while
published packages install the exact tested versions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: pin ALL dependencies (direct + transitive) from uv.lock

Update pin-dependencies to add all 125+ transitive dependencies from
uv.lock as direct deps in pyproject.toml with == pins, not just the
9 original direct deps. This ensures every package in the resolved
dependency tree is pinned to the exact tested version.

For tool packages running in isolated uvx environments, this
eliminates all version drift — both direct and transitive.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@scottschreckengaust
Merge branch 'awslabs:main' into main
90ad6d8
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.37%. Comparing base (f0c2999) to head (90ad6d8).
⚠️ Report is 31 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2856      +/-   ##
==========================================
- Coverage   91.38%   91.37%   -0.01%     
==========================================
  Files        1014     1014              
  Lines       74946    74946              
  Branches    12044    12044              
==========================================
- Hits        68486    68483       -3     
  Misses       3990     3990              
- Partials     2470     2473       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@scottschreckengaust scottschreckengaust marked this pull request as ready for review April 3, 2026 00:43
@scottschreckengaust scottschreckengaust requested a review from a team as a code owner April 3, 2026 00:43
@scottschreckengaust scottschreckengaust marked this pull request as draft April 3, 2026 00:45
@scottschreckengaust scottschreckengaust mentioned this pull request Apr 3, 2026
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 18, 2026

This pull request is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label.

@github-actions github-actions Bot added stale These are items that have been around for a long time without progress and removed stale These are items that have been around for a long time without progress labels Apr 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

awslabs/mcp Project
Status: To triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scottschreckengaust