Dependency bot

It is good practice to update dependencies regularly to avoid vulnerabilities, limit incompatibilities between dependencies and avoid complex upgrades when upgrading from a version that is too old. A variety of tools can help you stay up to date. uv is supported by Renovate.

Renovate uses the uv.lock file file to detect that uv is being used to manage dependencies and suggests updates for project dependencies, optional dependencies and development dependencies. Renovate updates both the pyproject.toml and uv.lock files.

Installation and configuration

The Renovate CLI tool can be installed with

$ npm install renovate

Tip

The Renovate bot should run under its own service user. We therefore recommend creating and using a separate account, renovate-bot, for the bot. Then create and save an access token for this account.

You can now configure Renovate for your GitLab server. Renovate looks for a config.js file in the current working directory by default. However, you can override this by defining the environment variable RENOVATE_CONFIG_FILE. The configuration can then look like this, for example:

config.js
module.exports = {
  endpoint: 'https://ce.cusy.io/api/v4/',
  token: 'GITLAB_TOKEN',
  platform: 'gitlab',
  onboardingConfig: {
    extends: ['config:recommended'],
  },
  repositories: ['USERNAME/REPO', 'ORGNAME/REPO'],
};

Note

Changes the paths to the repositories to something suitable. Also replace the GitLab token value with the value created in the previous step.

If you now want to regularly update the uv.lock file in your repository, you should use the lockFileMaintenance option in the renovate.json5 file in your repository, for example:

renovate.json5
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  lockFileMaintenance: {
    enabled: true,
  },
}

However, Renovate does not automatically recognise files with Inline script metadata. You must explicitly specify these Python scripts with fileMatch, for example with:

renovate.json5
{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  pep723: {
    fileMatch: [
      "app\\.py",
    ],
  },
}

Finally, the timing of Renovate should be planned, for example with cron:

#!/bin/bash

export PATH="/home/renovate-bot/.node_modules/.bin/renovate:$PATH"
export RENOVATE_CONFIG_FILE="/home/renovate-bot/config.js"
export RENOVATE_TOKEN="GITLAB_TOKEN"

0 * * * * renovate

CI/CD pipeline

Renovate can also be integrated into CI/CD pipelines: