Make rust toolchain available in uv (pep-621) updates

[vlaci]

Tell us more.

I understand that this case may not be feasible to get implemented, and totally okay with that. In that case, feel free to close this discussion. See workaround below for mitigation.

Rust is required¹ when the project is managed by uv and pyproject.toml contains the following:

[project]
# ...
dynamic = [
  "version",
  # ...
]

# ...
[build-system]
build-backend = "maturin"
# ...

Uv needs to access the project version property, because the lockfile contains it, so it calls out to the build backend for that.

Workaround

Explicitly set project.version in pyproject.toml. Other dynamic metadata fields don't cause issues with updates.

If rust crates from the project are not also published to crates.io, one can also set a placeholder version, like 0.0.0 in Cargo.toml, so no synchronization is needed when bumping versions in that case.

Context

Maturin is a build backend for Python packages containing extension modules written in Rust.
Rust code is hosted in one or more traditional crates. As this require both a pyproject.toml and Cargo.toml files, part of project metadata is duplicated in the two. To resolve this, Maturin supports and encourages providing dynamic metadata in pyproject.toml.

Maturin supports the case when the [project] table is missing, but uv does not, so this case doesn't exist in practice.

There is also nothing special that renovate would need to do with regard to project/lock file processing.

Reproduction

See sample repo and failing update from #34246:
vlaci/renovate-maturin-dynamic-test#1

Security implications

As uv can call out to the build backend during package locking, there exist a possibility of arbitrary code execution. I am unfamiliar with Renovate's stance on update time code execution in general, but wanted to emphasize that concern. See below for other backends that support arbitrary code execution when generating dynamic project metadata.

Other build-backends

maturin is one of the suggested build backends in the uv documentation.

Another recommended backend from the uv docs is scikit-build-core which also supports dynamic version setting from CMake project or Python code execution.

Similarly, setuptools also has this dynamic capability.

---

I also want to apologize to @rarkins for me sounding confrontative. It wasn't in my intention. I came back mainly with this new discussion to comment, that there exist a workaround that can be utilized if one runs into the same error.

Footnotes

1. error on locking without cargo:

   Command failed: uv lock --upgrade-package pytest
   Using CPython 3.13.2 interpreter at: /opt/containerbase/tools/python/3.13.2/bin/python3
     × Failed to build `renovate-test @
     │ file:///tmp/renovate/repos/github/vlaci/renovate-maturin-dynamic-test`
     ├─▶ The build backend returned an error
     ╰─▶ Call to `maturin.prepare_metadata_for_build_editable` failed (exit
         status: 1)
   
         [stdout]
         Checking for Rust toolchain....
   
         [stderr]
   
         Cargo, the Rust package manager, is not installed or is not on PATH.
         This package requires Rust and Cargo to compile extensions. Install
         it through
         the system's package manager or via https://rustup.rs/
   
   
         hint: This usually indicates a problem with the package or the build
         environment.
   

   ↩

[rarkins]

The Renovate -full images contain pre-installed cargo/rust in addition to other package managers. Can you test running Renovate using a full docker image to see if everything automatically then works, or if that's just part of the problem?

Later, we could potentially add logic to the uv artifacts updating so that it also installs rust dynamically if necessary.

[vlaci]

Yes, it works if I am using the renovate/renovate:full image directly.

So the current state is

• ❌ mend app doesn't work
• ❌ renovate/renovate docker image doesn't work
• ✔️ renovate/renovate:full image does work

[vlaci]

A bit of a tangent, or gemeralization of the above discussion, as uv's behavior is affected by not only the top level project but all of its (transitive) dependencies.

This uv issue sheds some light on the method of how uv handles dynamic metadata.

TL;DR if a dependency...

• is not available as a wheel
  • and it contains dynamic fields in its sdist's PKG-INFO
  • or its Metadata-Version is lower than 2.2

...than uv will execute its build backend or setup.py in absence a pyproject.toml

It looks like other package managers including Poetry has a more lax approach, that's why issues like this haven't really came up in the past.

My prediction is that with uv's increasing popularity, arbitrary missing build dependencies will cause more locking issues when uv is used.

I guess, using the docker images is the best mitigation in the mid/short term.

[net]

We're having the same problem. We're using Mend hosted Renovate and I'd prefer not to self-host.

I know I know letsql is also experiencing this: letsql/xorq#558 (comment).

Should this be made into an issue?