fix(deps): switch from pip-compile to uv pip compile (#538)

lawrence-u10d · claude · web-flow · commit 8d6e8632c64b · 2026-01-21T14:15:03.000-06:00
## Summary Switches dependency compilation from pip-compile to uv pip compile to fix Renovate compatibility issues with the `--no-strip-extras` flag. ## Problem Renovate's pip-compile manager has a bug where it only supports `--no-strip-extras` for `uv pip compile`, not for regular `pip-compile`. This blocks Renovate from creating security vulnerability PRs for Python dependencies. ## Solution Switch from `pip-compile` to `uv pip compile` which: - ✅ Supports `--no-strip-extras` flag in Renovate - ✅ 10-100x faster compilation times - ✅ Drop-in replacement with same command structure - ✅ Aligns with unstructured and unstructured-inference repos ## Changes ### Makefile - Targets Python 3.12 (via `--python-version 3.12`) - Adds `--no-emit-package pip` and `--no-emit-package setuptools` flags - Replaces all `pip-compile` commands with `uv pip compile` ### Requirements Files Expected differences from `pip-compile` to `uv pip compile`: **Cosmetic changes:** - Header format updated to reflect uv compilation - Path references include `./` prefix (e.g., `-r ./requirements/base.in`) - Footer wording changed from "unsafe" to "excluded from the output" **constraints.txt expansion:** - `uv` includes transitive dependencies of constrained packages - Added `cryptography`, `cffi`, `charset-normalizer`, `pycparser` (all dependencies of pinned `pdfminer-six==20260107`) - This improves reproducibility by locking the entire dependency tree for constrained packages No version changes to any packages - all dependencies remain at the same versions as before. ## Testing ```bash make pip-compile ``` ## References - Renovate source: [common.ts](https://github.com/renovatebot/renovate/blob/main/lib/modules/manager/pip-compile/common.ts) - uv pip compile docs: https://docs.astral.sh/uv/pip/compile/ - Companion PR in unstructured: Unstructured-IO/unstructured#4202  --- > [!NOTE] > Switches dependency compilation to `uv pip compile` and updates generated requirement files accordingly. > > - Replace `pip-compile` with `uv pip compile` in `Makefile`, targeting Python 3.12 and adding `--no-emit-package pip`/`setuptools`; update `compile-all-base` loop > - Regenerate `requirements/base.txt`, `test.txt`, and `constraints.txt` with uv headers/footers and `./` path prefixes > - Expand `constraints.txt` to include transitive deps of constrained packages (e.g., `cryptography`, `cffi`, `charset-normalizer`, `pycparser`) > - No dependency version changes > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ba94b9a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
diff --git a/Makefile b/Makefile
@@ -47,15 +47,18 @@ pip-compile: compile-all-base
 
 .PHONY: compile-test
 compile-test:
-	pip-compile --upgrade -o requirements/test.txt requirements/base.txt requirements/test.in
+	uv pip compile --python-version 3.12 --upgrade -o requirements/test.txt requirements/base.txt requirements/test.in --no-emit-package pip --no-emit-package setuptools
 
 .PHONY: compile-base
 compile-base:
-	pip-compile --upgrade requirements/base.in
+	uv pip compile --python-version 3.12 --upgrade requirements/base.in -o requirements/base.txt --no-emit-package pip --no-emit-package setuptools
 
 .PHONY: compile-all-base
 compile-all-base: compile-base compile-test
-	@$(foreach file,$(BASE_REQUIREMENTS),echo -e "\n\ncompiling: $(file)" && pip-compile --no-strip-extras --upgrade $(file) || exit;)
+	@for file in $(BASE_REQUIREMENTS); do \
+		echo -e "\n\ncompiling: $$file"; \
+		uv pip compile --python-version 3.12 --upgrade --no-strip-extras $$file -o $${file%.in}.txt --no-emit-package pip --no-emit-package setuptools || exit 1; \
+	done
 
 .PHONY: clean-requirements
 clean-requirements:
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -1,9 +1,5 @@
-#
-# This file is autogenerated by pip-compile with Python 3.12
-# by the following command:
-#
-#    pip-compile --no-strip-extras ./requirements/base.in
-#
+# This file was autogenerated by uv via the following command:
+#    uv pip compile --python-version 3.12 --no-strip-extras ./requirements/base.in -o ./requirements/base.txt --no-emit-package pip --no-emit-package setuptools
 accelerate==1.12.0
     # via unstructured-inference
 aiofiles==25.1.0
@@ -20,7 +16,7 @@ anyio==4.12.0
     #   starlette
 backoff==2.2.1
     # via
-    #   -r requirements/base.in
+    #   -r ./requirements/base.in
     #   unstructured
 beautifulsoup4==4.14.3
     # via unstructured
@@ -40,7 +36,7 @@ charset-normalizer==3.4.4
     #   unstructured
 click==8.3.1
     # via
-    #   -r requirements/base.in
+    #   -r ./requirements/base.in
     #   nltk
     #   python-oxmsg
     #   uvicorn
@@ -66,7 +62,7 @@ emoji==2.15.0
 et-xmlfile==2.0.0
     # via openpyxl
 fastapi==0.128.0
-    # via -r requirements/base.in
+    # via -r ./requirements/base.in
 filelock==3.20.1
     # via
     #   huggingface-hub
@@ -167,7 +163,7 @@ nltk==3.9.2
     # via unstructured
 numpy==1.26.4
     # via
-    #   -c requirements/constraints.in
+    #   -c ./requirements/constraints.in
     #   accelerate
     #   contourpy
     #   matplotlib
@@ -218,7 +214,7 @@ pdf2image==1.17.0
     # via unstructured
 pdfminer-six==20260107
     # via
-    #   -c requirements/constraints.in
+    #   -c ./requirements/constraints.in
     #   unstructured
     #   unstructured-inference
 pi-heif==1.1.1
@@ -249,7 +245,7 @@ protobuf==6.33.2
     #   proto-plus
 psutil==7.2.1
     # via
-    #   -r requirements/base.in
+    #   -r ./requirements/base.in
     #   accelerate
     #   unstructured
 pyasn1==0.6.1
@@ -263,7 +259,7 @@ pycocotools==2.0.11
 pycparser==2.23
     # via cffi
 pycryptodome==3.23.0
-    # via -r requirements/base.in
+    # via -r ./requirements/base.in
 pydantic==2.12.5
     # via
     #   fastapi
@@ -276,7 +272,7 @@ pyparsing==3.3.1
     # via matplotlib
 pypdf==6.5.0
     # via
-    #   -r requirements/base.in
+    #   -r ./requirements/base.in
     #   unstructured
     #   unstructured-client
 pypdfium2==5.2.0
@@ -311,14 +307,14 @@ rapidfuzz==3.14.3
     #   unstructured
     #   unstructured-inference
 ratelimit==2.2.1
-    # via -r requirements/base.in
+    # via -r ./requirements/base.in
 regex==2025.11.3
     # via
     #   nltk
     #   transformers
 requests==2.32.5
     # via
-    #   -r requirements/base.in
+    #   -r ./requirements/base.in
     #   google-api-core
     #   huggingface-hub
     #   requests-toolbelt
@@ -344,7 +340,7 @@ soupsieve==2.8.1
     # via beautifulsoup4
 starlette==0.41.2
     # via
-    #   -c requirements/constraints.in
+    #   -c ./requirements/constraints.in
     #   fastapi
 sympy==1.14.0
     # via
@@ -399,7 +395,7 @@ typing-inspection==0.4.2
 tzdata==2025.3
     # via pandas
 unstructured[all-docs]==0.18.24
-    # via -r requirements/base.in
+    # via -r ./requirements/base.in
 unstructured-client==0.42.6
     # via unstructured
 unstructured-inference==1.1.1
@@ -409,7 +405,7 @@ unstructured-pytesseract==0.3.15
 urllib3==2.6.2
     # via requests
 uvicorn==0.40.0
-    # via -r requirements/base.in
+    # via -r ./requirements/base.in
 webencodings==0.5.1
     # via html5lib
 wrapt==2.0.1
@@ -421,5 +417,5 @@ xlrd==2.0.2
 xlsxwriter==3.2.9
     # via python-pptx
 
-# The following packages are considered to be unsafe in a requirements file:
+# The following packages were excluded from the output:
 # setuptools
diff --git a/requirements/constraints.txt b/requirements/constraints.txt
@@ -1,16 +1,22 @@
-#
-# This file is autogenerated by pip-compile with Python 3.12
-# by the following command:
-#
-#    pip-compile --no-strip-extras ./requirements/constraints.in
-#
+# This file was autogenerated by uv via the following command:
+#    uv pip compile --python-version 3.12 --no-strip-extras ./requirements/constraints.in -o ./requirements/constraints.txt --no-emit-package pip --no-emit-package setuptools
 anyio==4.12.0
     # via starlette
+cffi==2.0.0
+    # via cryptography
+charset-normalizer==3.4.4
+    # via pdfminer-six
+cryptography==46.0.3
+    # via pdfminer-six
 idna==3.11
     # via anyio
 numpy==1.26.4
-    # via -r requirements/constraints.in
+    # via -r ./requirements/constraints.in
+pdfminer-six==20260107
+    # via -r ./requirements/constraints.in
+pycparser==2.23
+    # via cffi
 starlette==0.41.2
-    # via -r requirements/constraints.in
+    # via -r ./requirements/constraints.in
 typing-extensions==4.15.0
     # via anyio
diff --git a/requirements/test.txt b/requirements/test.txt
@@ -1,9 +1,5 @@
-#
-# This file is autogenerated by pip-compile with Python 3.12
-# by the following command:
-#
-#    pip-compile --no-strip-extras ./requirements/test.in
-#
+# This file was autogenerated by uv via the following command:
+#    uv pip compile --python-version 3.12 --no-strip-extras ./requirements/test.in -o ./requirements/test.txt --no-emit-package pip --no-emit-package setuptools
 anyio==4.12.0
     # via
     #   httpx
@@ -33,7 +29,7 @@ babel==2.17.0
 beautifulsoup4==4.14.3
     # via nbconvert
 black==25.12.0
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 bleach[css]==6.3.0
     # via nbconvert
 build==1.3.0
@@ -49,7 +45,7 @@ charset-normalizer==3.4.4
     # via requests
 click==8.3.1
     # via
-    #   -r requirements/test.in
+    #   -r ./requirements/test.in
     #   black
 comm==0.2.3
     # via
@@ -62,7 +58,7 @@ debugpy==1.8.19
 decorator==5.2.1
     # via ipython
 deepdiff==8.6.1
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 defusedxml==0.7.1
     # via nbconvert
 execnb==0.1.16
@@ -79,7 +75,7 @@ fastcore==1.10.0
 fastjsonschema==2.21.2
     # via nbformat
 flake8==7.3.0
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 fqdn==1.5.1
     # via jsonschema
 ghapi==1.0.8
@@ -90,7 +86,7 @@ httpcore==1.0.9
     # via httpx
 httpx==0.28.1
     # via
-    #   -r requirements/test.in
+    #   -r ./requirements/test.in
     #   jupyterlab
 idna==3.11
     # via
@@ -137,7 +133,7 @@ jsonschema[format-nongpl]==4.25.1
 jsonschema-specifications==2025.9.1
     # via jsonschema
 jupyter==1.1.1
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 jupyter-client==8.7.0
     # via
     #   ipykernel
@@ -198,7 +194,7 @@ mccabe==0.7.0
 mistune==3.2.0
     # via nbconvert
 mypy==1.19.1
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 mypy-extensions==1.1.0
     # via
     #   black
@@ -210,7 +206,7 @@ nbconvert==7.16.6
     #   jupyter
     #   jupyter-server
 nbdev==2.4.7
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 nbformat==5.10.4
     # via
     #   jupyter-server
@@ -293,11 +289,11 @@ pytest==9.0.2
     #   pytest-mock
     #   pytest-xdist
 pytest-cov==7.0.0
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 pytest-mock==3.15.1
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 pytest-xdist==3.8.0
-    # via -r requirements/test.in
+    # via -r ./requirements/test.in
 python-dateutil==2.9.0.post0
     # via
     #   arrow
@@ -406,5 +402,5 @@ wheel==0.45.1
 widgetsnbextension==4.0.15
     # via ipywidgets
 
-# The following packages are considered to be unsafe in a requirements file:
+# The following packages were excluded from the output:
 # setuptools
