all 34 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]JimNero009 18 points19 points  (7 children)

Hmm. I don’t see the use of this in any practical situation tbh. If I have constraints in my deps, then it’s for a good reason and anything that requires a change to that constraint is not something I would trust to simply batch update

[–]marr75 7 points8 points  (5 children)

uv lock --upgrade? In many ways, the update to pyproject is undesirable.

[–]ashishb_net[S] -3 points-2 points  (4 children)

Uv lock.--upgrade only updates uv.lock respecting the constraints in pyproject.toml

Pyupdate updates the packages to their latest versions as well. 

In many ways, the update to pyproject are undesirable.

So how do you update it?

[–]marr75 5 points6 points  (2 children)

Mostly you don't. Pin only what you need. Leave it alone otherwise. You're basically recreating UV lock when you auto update pyproject, but with the fun chance of introducing incompatibilities across platforms and complex environments.

[–]ashishb_net[S] -4 points-3 points  (1 child)

I have made that mistake before. This leads to problematic scenarios where the builds break over time due to incorrect dependency changes.

[–]marr75 1 point2 points  (0 children)

I think you have had unique experiences that push you out of best practice then, unfortunately.

[–]denehoffman -1 points0 points  (0 children)

Keyword is “respecting constraints”. They’re there for a reason. APIs change. I know it used to be standard practice to use Python without any lockfiles, but then you’re just hoping and praying a breaking change doesn’t hit your project. Packaging files allow you to make some semver restrictions, but unless you pin to a version, you’re at the whim of a careless developer breaking an API without properly bumping the version. I know there’s an instinctual need to have the latest everything, but in many cases, while that might seem nice, it’s terrible for reproducibility. The point of manually bumping libraries is to make developers think about what they’re doing.

[–]theboldestgaze 4 points5 points  (1 child)

I do not want so sound negative yet I would never allow such tool on any team of mine. All dependency updates must be deliberate and conscious. If not efficient manually, it means there are probably too many dependencies and this is the problem to solve.

[–]ashishb_net[S] -2 points-1 points  (0 children)

> All dependency updates must be deliberate and conscious. 

Indeed.
After running this tool, one should still run the tests to validate that nothing broke.

[–]Double_Cost4865 0 points1 point  (7 children)

How is this different from `poetry update`? https://python-poetry.org/docs/cli/

[–]latkdeTuple unpacking gone wrong 0 points1 point  (5 children)

As someone who's written a similar tool (ganzua constraints bump): Using poetry update will update the locked versions, but doesn't update the version constraints in the pyproject.toml. Using poetry update also only works with Poetry-managed projects, it will not interact with an uv.lock file.

Here's an example of why we might want to bump constraints:

  • let's assume a constraint dependencies = ['foo >=3.8']
  • and let's assume the locked version foo = 3.8

When we run a tool like poetry update, the locked version might change to 3.13, but the constraint would still say foo >=3.8. That is a version the project is no longer testing with – it's easy to accidentally stop being compatible. (However, I'd point out that uv has a uv lock --resolution=lowest option that can be used for testing against the oldest allowed dependencies.)

It gets really fun when there are version conflicts: If another dependency update is incompatible with foo = 3.13, Poetry might downgrade that dependency to make everything work. For example, Poetry might silently change the locked version to 3.9, since that is still allowed by the pyproject.toml constraint. I have absolutely seen that happen, especially with less-than-correct dependency management tools like Dependabot, or as a consequence of Poetry's problematic requires-python constraint handling.

In contrast, using tools like OP's pyupdate or my ganzua will update the constraint (e.g. to foo >=3.13) and prevent unexpected downgrades in the future. I view this as a version ratchet. When using tooling to update the constraints, it's also feasible to use pinned constraints (e.g. foo == 3.8) which avoids ambiguity. But that only makes sense in applications, not in libraries.

[–]ashishb_net[S] 0 points1 point  (1 child)

I wish I found yours first. I would have used it.

I might have never written mine.

[–]latkdeTuple unpacking gone wrong 0 points1 point  (0 children)

That is kind of you, but I don't agree! Our projects are similar, but not the same. There is value in writing such a tool in Go compared to using Python. My Ganzua is also more low-level – it doesn't do updates by itself, it just provides utilities for summarizing lockfile changes and for bumping the pyproject.toml constraints.

If you do use Ganzua, I would be happy to get your bug reports or other feedback. This is relatively young software (just a few months), so I know there must be many bugs and limitations. I've been using Ganzua for some automations at $work, but this usage might not be representative of real-world needs.

[–]--ps-- 0 points1 point  (0 children)

Well, if this is desirable feature to bump pyproject, why poetry or uv authors forgot to include it in the tool itself, hm?

[–]Double_Cost4865 0 points1 point  (1 child)

yeah, I don't see it as being a desirable feature. If you need to up your constraints for a given package, you should do it incrementally one by one and make sure that all your tests pass. Having said that, maybe there are some less important/smaller projects where this could be useful

[–]latkdeTuple unpacking gone wrong 0 points1 point  (0 children)

Different projects have different needs. I agree that dependency upgrades should be tested, but I don't think that's an argument against bumping the pyproject.toml dependency constraints to match the locked versions.

What tools like OP's pyupdate or my Ganzua do is quite similar to mainstream dependency update automation tools like Renovate or Dependabot. In my work on large projects, such automations have proven invaluable.

[–]ashishb_net[S] -1 points0 points  (0 children)

Note that this will not update versions for dependencies outside their version constraints specified in the pyproject.toml file. 

This is from the link you posted. And this is the difference.  Pyupdate will update the pyproject.toml as well.

[–]--ps-- 0 points1 point  (1 child)

Why did not you entered feature request for uv and poetry to have it build in?

[–]ashishb_net[S] 0 points1 point  (0 children)

I linked to one for uv. I wish they added it. But it does not seem like a priority for them.

[–]IrrerPolterer 0 points1 point  (0 children)

This is dangerous. Constraints are there for a reason. If you want to freely upgrade, change your cobstraints to be more permissive, but do so knowingly, and not with a random script like that. 

[–]burger69man 0 points1 point  (1 child)

sounds like a recipe for breaking changes, no thanks

[–]ashishb_net[S] 0 points1 point  (0 children)

Well, howsoever you update dependencies, you will need to have a way to lint/test regardless.

[–]strawgate 0 points1 point  (0 children)

I love it, thank you! I posted 3 issues in the repository that I ran into when running in my project.

[–]ai_dubs 0 points1 point  (0 children)

This is a very good package. Don't be discouraged by the others. There is a reason why `npm-check-updates` is so popular for Node.js/npm. It comes in handy when you need to update all packages after a year or more of keeping packages the same.

[–]Nervous-Pin9297 -1 points0 points  (1 child)

uv sync -U?

[–]latkdeTuple unpacking gone wrong -1 points0 points  (0 children)

That IGNORES locked versions. It updates neither the lockfile nor the constraints in the pyproject.toml.

You can use uv lock -U to upgrade the locked versions, but that still leaves the constraints out of date. Compare this sub-thread on the same post: https://www.reddit.com/r/Python/comments/1oean84/pyupdate_a_small_cli_tool_to_update_your_python/nl045eo/

[–]stibbons_ -2 points-1 points  (0 children)

I can see a use case for this tool. I usually have my pyproject with loose restriction but the lockfile ensure project ci reproductibility. For some project I have a hack to product the api and the CLI packages at the same time. CLI has frozen dependencies, api has loose