Adding UV package manager support for Python projects#4980
Conversation
pombredanne
left a comment
pombredanne
left a comment
There was a problem hiding this comment.
@GuillemSeCa Thank you++. This looks good overall. Do you mind to add a DCO signoff to your commit?
NB: this is timely as @AyanSinhaMahapatra is playing to switch to uv for ScanCode itself...
@AyanSinhaMahapatra do you mind to check the pinning issue on the doc CI action? And merge at your convenience.
Add support for parsing Python projects managed with the UV package manager (https://docs.astral.sh/uv/). Two new package data handlers are added in packagedcode.pypi: - UvPyprojectTomlHandler parses pyproject.toml files containing a [tool.uv] table. It collects the standard PEP 621 [project] metadata, optional-dependencies, and PEP 735 [dependency-groups] (with include-group references skipped as forward references). - UvLockHandler parses uv.lock files. Each [[package]] entry becomes a pinned, virtual resolved package; the editable root project entry is skipped since it is parsed independently from pyproject.toml. SHA-256 hashes and the exact sdist URL recorded in the lock file are preserved, and PyPI URLs are populated via get_pypi_urls. A shared BaseUvPythonLayout assembles the package by walking from either pyproject.toml or uv.lock to its sibling, mirroring the existing Poetry layout. PyprojectTomlHandler is updated to skip pyproject.toml files that belong to a UV project so that the dedicated handler runs. Test fixtures are derived from python-attrs/attrs 26.1.0 (https://github.com/python-attrs/attrs, MIT-licensed) and trimmed to the relevant parts for parser and end-to-end package-assembly coverage. Refs: aboutcode-org#4501 Signed-off-by: Guillem Serra Cazorla <gserracazorla@gmail.com>
GuillemSeCa
force-pushed
the
feature/parse-uv_package
branch
from
19a432a to
c27f6ee
Compare
|
I have added the signoff @pombredanne! |
pombredanne
left a comment
pombredanne
left a comment
There was a problem hiding this comment.
All good for me on the code. We still some minimal doc for the thirdparty inclusion.
|
For https://github.com/aboutcode-org/scancode-toolkit/pull/4980/changes#diff-68efae3999818a948ae49f2a73f0f6e7b6c02f1e2d4c9f1438b80d547f6de9f5R408 We do not want to be the proverbial cobbler's son going barefoot! |
|
Ignore my previous comment at #4980 (comment) I thought incorrectly you had copied Python code from attrs. |
pombredanne
left a comment
pombredanne
left a comment
There was a problem hiding this comment.
All good for me. @AyanSinhaMahapatra all yours.
AyanSinhaMahapatra
left a comment
AyanSinhaMahapatra
left a comment
There was a problem hiding this comment.
@GuillemSeCa thanks++ for the PR.
I have some minor comments for your consideration, looks great otherwise.
We also had another PR at #4616 adding UV support, but this needed a lot more changes before it could be merged, so your PR is good to be merged soon.
| sdist = package.get('sdist') | ||
| if isinstance(sdist, dict): | ||
| download_url = sdist.get('url') | ||
| hash_value = sdist.get('hash') or '' |
There was a problem hiding this comment.
For a python package, when we create a package_url, we have to also specify the filename, see https://github.com/package-url/purl-spec/blob/main/types-doc/pypi-definition.md#examples so this file_name should be added to the qualifier for the resolved_package.
Another thing I'm also wondering is whether we should also use the .whl for storing the download_url and checksum fields, we could:
- have two package_data, one for the
.whlone for the sdist tarball - have the wheel only when there is a single wheel, sdist otherwise in case of multiple wheels (different os/python/abi)
- just have the sdist info like you have here
@pombredanne what do you think?
|
|
||
| class BaseUvPythonLayout(BaseExtractedPythonLayout): | ||
| """ | ||
| Base class for UV-managed Python projects (``pyproject.toml`` paired with |
There was a problem hiding this comment.
Can we have this docstring without the brackets?
Something like:
Base class for UV-managed Python projects, which has a ``pyproject.toml`` paired with
a ``uv.lock`` lockfile.
| @@ -0,0 +1,57 @@ | |||
| # Trimmed copy of the pyproject.toml from | |||
| # https://github.com/python-attrs/attrs (release 26.1.0) for testing | |||
There was a problem hiding this comment.
We can just include the full link: https://github.com/python-attrs/attrs/blob/26.1.0/pyproject.toml for files that we copy over for testing.
|
|
||
| class TestUvHandler(PackageTester): | ||
| # Test fixtures derived from python-attrs/attrs (release 26.1.0): | ||
| # https://github.com/python-attrs/attrs (MIT-licensed). |
There was a problem hiding this comment.
I would actually prefer having this information either:
- in the test file itself as a comment (you have this already)
- as an .ABOUT file on the side
We could have non-attrs tests later so this is not important to mention here, we can remove this
3 participants
Add support for parsing Python projects managed with the UV package manager (https://docs.astral.sh/uv/). Two new package data handlers are added in packagedcode.pypi:
A shared BaseUvPythonLayout assembles the package by walking from either pyproject.toml or uv.lock to its sibling, mirroring the existing Poetry layout. PyprojectTomlHandler is updated to skip pyproject.toml files that belong to a UV project so that the dedicated handler runs.
Test fixtures are derived from python-attrs/attrs 26.1.0 (https://github.com/python-attrs/attrs, MIT-licensed) and trimmed to the relevant parts for parser and end-to-end package-assembly coverage.
Refs: #4501
Tasks
Run tests locally to check for errors.
Signed-off-by: Guillem Serra Cazorla gserracazorla@gmail.com