sbp commented on issue #397: URL: https://github.com/apache/tooling-trusted-releases/issues/397#issuecomment-3666892271
15.2.1 requires that we have a documented dependency update frequency, and that we check that our dependencies are always updated within that timeframe. Commit 52e202f2deae74d38bc60849736339b2ab919de8 attempts to ensure this by switching to frozen uv lockfiles. To keep a uv lockfile frozen, you must use uv with the `--frozen` flag. The currently open uv issue https://github.com/astral-sh/uv/issues/14443 would make this much cleaner if resolved, and would prevent us from accidentally running uv without it. When we write a new lockfile, we use `excludes-newer`, similar to what we introduced in ffc0c99eee142e21fe73b927dab96041cfd6189c for npm in #359, which is recorded in the lockfile itself and which we can use to determine when we last performed an update. This allows us to automatically check whether we updated within our documented update period, a check which is performed by the new `scripts/check_when_dependencies_updated.py` script as part of our default pre-commit collection. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
