fix(deps): switch Renovate to uv manager for lock-file-aware dep scanning#74
Conversation
…s in cluster D docs Adds 'commitish' to codespell ignore list to allow the release-drafter workflow's YAML key name. Replaces em-dashes in the cluster D planning and spec docs with colons, satisfying the no-em-dash PC-011 hook. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces pep621/pip_requirements with the uv manager in the template repo's renovate.json. The uv manager reads both pyproject.toml and uv.lock, enabling transitive dependency scanning that matches what Dependabot already provides via its native uv.lock parser. Replaces poetry with uv in the generated project template's renovate.json. The template switched from Poetry to UV but the Renovate config was never updated, leaving all Python dep scanning dead. Also removes dead Poetry-specific config: the poetry manager block, postUpdateOptions poetryMassage, and package rules with matchManagers: ["poetry"]. Updates dev dep matchDepTypes from "devDependencies" (Poetry) to "dev" (uv dependency-group name). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Review limit reached
Your plan currently allows 1 review/hour. Refill in 35 minutes and 2 seconds. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more review capacity refills, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Updates Renovate configuration to use the uv manager so dependency scanning (including lock-file-aware / transitive dependencies via uv.lock) works correctly in both the template repository and generated projects.
Changes:
- Switches the repo-level Renovate managers from
pep621/pip_requirementstouv. - Updates the generated project’s Renovate config from
poetrytouv, including dev dependency grouping (matchDepTypes: ["dev"]) and removal of Poetry-only options. - Maintenance/docs hygiene: adds
commitishto codespell ignore list and replaces em-dash list formatting in two planning/spec docs.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| renovate.json | Switch enabled Renovate managers to uv for lock-file-aware Python dependency scanning. |
| {{cookiecutter.project_slug}}/renovate.json | Migrate Renovate config from Poetry to UV; remove dead Poetry config and align dep grouping with UV. |
| .pre-commit-config.yaml | Prevent false-positive codespell failures on commitish (release-drafter key). |
| docs/superpowers/specs/2026-05-20-template-cleanup-cluster-D-code-quality.md | Replace em-dash list separators with colon formatting. |
| docs/superpowers/plans/2026-05-20-template-cleanup-cluster-D.md | Replace em-dash list separators with colon formatting. |
|
Summary
pep621/pip_requirementswithuvin the template repo'srenovate.json. Theuvmanager reads bothpyproject.tomlanduv.lock, enabling transitive dep scanning that matches what Dependabot already provides via its nativeuv.lockparser.poetrywithuvin the generated project template'srenovate.json. The template switched from Poetry to UV long ago, but the Renovate config was never updated, leaving all Python dep scanning silently dead.poetrymanager block,postUpdateOptions: poetryMassage, andpackageRuleswithmatchManagers: ["poetry"](these never fired).matchDepTypesfrom"devDependencies"(Poetry) to"dev"(uv dependency-group name).commitishto the codespell ignore list (release-drafter YAML key falsely flagged).Why this matters
Renovate was creating no Python dependency PRs because its active manager (
pep621) only reads direct deps frompyproject.tomland ignores the lock file. Dependabot uses its ownuv.lockparser and was catching transitive CVEs that Renovate missed entirely. After this change, Renovate'suvmanager will read the lock file and should begin generating PRs for the open Dependabot alerts.The self-hosted Renovate instance already has
RENOVATE_ALLOWED_POST_UPGRADE_COMMANDSincluding"^uv lock"andRENOVATE_BINARY_SOURCE: install, souvmanager is fully supported without any server-side changes.Test plan
Generated with Claude Code