astral-sh/uv

`pip compile --upgrade` behavior with yanked packages

Open

#3,644 opened on May 17, 2024

View on GitHub
 (7 comments) (0 reactions) (0 assignees)Rust (84,934 stars) (3,111 forks)batch import
help wanted

Description

Prompted at https://github.com/astral-sh/uv/issues/3602#issuecomment-2115761269

When a yanked package is pinned in a lockfile and pip compile --upgrade is used and there is no new version of the package in the input range, should we

  1. Downgrade to the unyanked version
  2. Error that a yanked version is being used
  3. Warn that a yanked version is being used
  4. Silently continue to use the yanked version

Note the yanked package is not pinned in the input requirements.

Contributor guide

Tech stack
rust
Domain
clideveloper experience
Issue type
research
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Python packagingyanked packagesuv CLI
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Review the current behavior of `pip compile upgrade` in uv's resolver code, particularly how yanked packages are handled. Examine the linked comment in issue #3602 for context. Consider the trade offs of the four proposed options and gather feedback from maintainers. Relevant source files are likely in the `crates/uv pip/` directory.