Security update MR not created for unconstraint uv dependencies

[cd-fge]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitLab

Please tell us more about your question or problem

For the Python uv package manager renovate only creates security update MRs when the dependency has a version constraint.

For example with this pyproject.toml and requests 2.32.3 in the uv.lock file, renovate won't create a MR to upgrade requests for GHSA-9hjg-9r4m-mvj7.

[project]
name = "test"
version = "1"
dependencies = [
    "requests",
]
requires-python = ">= 3.11"

However when adding a version constraint for requests it will create a MR:

[project]
name = "test"
version = "1"
dependencies = [
    "requests>2",
]
requires-python = ">= 3.11"

Renovate config used:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":label(renovate)"
  ],
  "lockFileMaintenance": {
    "enabled": true,
    "schedule": ["at any time"]
  },
  "vulnerabilityAlerts": {
    "enabled": true
  },
  "osvVulnerabilityAlerts": true,
  "dependencyDashboardOSVVulnerabilitySummary": "all",
  "dependencyDashboardLabels": ["renovate"]
}

Logs (if relevant)

Logs no version contraint

DEBUG: fetchVulnerabilities() - osvVulnerabilityAlerts=true (repository=xxx/code/renovate-test)
DEBUG: Vulnerability GHSA-9hjg-9r4m-mvj7 affects requests 2.32.3 (repository=xxx/code/renovate-test)
DEBUG: Setting allowed version >= 2.32.4 to fix vulnerability GHSA-9hjg-9r4m-mvj7 in requests 2.32.3 (repository=xxx/code/renovate-test)
DEBUG: Using queue: host=ghcr.io, concurrency=16 (repository=xxx/code/renovate-test)

DEBUG: 2 flattened updates found: ghcr.io/astral-sh/uv (repository=xxx/code/renovate-test)

DEBUG: Ensuring Dependency Dashboard (repository=xxx/code/renovate-test)
DEBUG: Checking packageFiles for deprecated packages (repository=xxx/code/renovate-test)
DEBUG: Vulnerability GHSA-9hjg-9r4m-mvj7 affects requests 2.32.3 (repository=xxx/code/renovate-test)

Logs with version contraint

DEBUG: fetchVulnerabilities() - osvVulnerabilityAlerts=true (repository=xxx/code/renovate-test)
DEBUG: Vulnerability GHSA-9hjg-9r4m-mvj7 affects requests 2.32.3 (repository=xxx/code/renovate-test)
DEBUG: Setting allowed version >= 2.32.4 to fix vulnerability GHSA-9hjg-9r4m-mvj7 in requests 2.32.3 (repository=xxx/code/renovate-test)
DEBUG: hostRules: no authentication for pypi.org (repository=xxx/code/renovate-test)
DEBUG: Using queue: host=pypi.org, concurrency=16 (repository=xxx/code/renovate-test)
DEBUG: Using queue: host=ghcr.io, concurrency=16 (repository=xxx/code/renovate-test)
DEBUG: hostRules: authentication already set for api.github.com (repository=xxx/code/renovate-test)
DEBUG: Using queue: host=api.github.com, concurrency=16 (repository=xxx/code/renovate-test)
DEBUG: Using vulnerabilityFixStrategy=lowest for requests (repository=xxx/code/renovate-test)
DEBUG: Unsupported rangeStrategy: update-lockfile. Using "replace" instead. (repository=xxx/code/renovate-test)

DEBUG: 3 flattened updates found: ghcr.io/astral-sh/uv, requests (repository=xxx/code/renovate-test)

DEBUG: Ensuring Dependency Dashboard (repository=xxx/code/renovate-test)
DEBUG: Checking packageFiles for deprecated packages (repository=xxx/code/renovate-test)
DEBUG: Vulnerability GHSA-9hjg-9r4m-mvj7 affects requests 2.32.3 (repository=xxx/code/renovate-test)

DEBUG: syncBranchState() (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: syncBranchState(): Branch cache not found, creating minimal branchState (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: getBranchPr(renovate/pypi-requests-vulnerability) (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: findPr(renovate/pypi-requests-vulnerability, undefined, open) (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: branchExists=false (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: dependencyDashboardCheck=undefined (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Check for closed PR because recreating closed PRs is disabled. (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: findPr(renovate/pypi-requests-vulnerability, Update dependency requests to v2.32.4 [SECURITY], !open) (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: prAlreadyExisted=false (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Open PR Count: 2, Existing Branch Count: 2, Hourly PR Count: 0 (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: prHourlyLimit of the upgrades present in this branch (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "limits": [{"depName": "requests", "prHourlyLimit": 2}]
DEBUG: Calculated lowest prHourlyLimit among the upgrades present in this branch is 2. (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: branchConcurrentLimit of the upgrades present in this branch (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "limits": [{"depName": "requests", "branchConcurrentLimit": null}]
DEBUG: Calculated lowest branchConcurrentLimit among the upgrades present in this branch is 10. (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Checking schedule(schedule=, tz=null, now=2025-06-16T14:02:20.502Z) (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: No schedule defined (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Converting rebaseWhen=auto to rebaseWhen=conflicted because no rule for behind-base-branch applies (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Branch needs creating (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Using reuseExistingBranch: false (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Setting current branch to dev (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: latest commit (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "branchName": "dev",
       "latestCommitDate": "2025-06-16T16:01:21+02:00",
       "sha": "d75b3ff9c2da495271b9463b1c7409f509619de8"
DEBUG: manager.getUpdatedPackageFiles() reuseExistingBranch=false (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: isLockFileUpdate without updateLockedDependency (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "manager": "pep621"
DEBUG: updateArtifacts for nonUpdatedPackageFiles (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: No pdm.lock found (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Setting CONTAINERBASE_CACHE_DIR to /builds/xxx/infrastructure/renovate-runner/renovate/cache/containerbase (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Using containerbase dynamic installs (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Resolved stable matching version (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "toolName": "python",
       "constraint": ">= 3.11",
       "resolvedVersion": "3.13.5"
DEBUG: Resolved stable matching version (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "toolName": "uv",
       "constraint": undefined,
       "resolvedVersion": "0.7.13"
DEBUG: Executing command (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "command": "install-tool python 3.13.5"
DEBUG: exec completed (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "durationMs": 10243,
       "stdout": "[14:02:20.853] INFO (86): Installing tool python@3.13.5...\ninstalling v2 tool python v3.13.5\nlinking tool python v3.13.5\nPython 3.13.5\npip 25.1.1 from /opt/containerbase/tools/python/3.13.5/lib/python3.13/site-packages/pip (python 3.13)\n[14:02:30.401] INFO (86): Install tool python succeeded in 9.5s.\n",
       "stderr": ""
DEBUG: Executing command (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "command": "install-tool uv 0.7.13"
DEBUG: exec completed (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "durationMs": 3255,
       "stdout": "[14:02:31.108] INFO (290): Installing pip uv@0.7.13...\nuv 0.7.13\n[14:02:33.794] INFO (290): Install tool uv succeeded in 2.6s.\n",
       "stderr": ""
DEBUG: Executing command (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "command": "uv lock --upgrade-package requests"
DEBUG: exec completed (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "durationMs": 161,
       "stdout": "",
       "stderr": "Using CPython 3.13.5 interpreter at: /opt/containerbase/tools/python/3.13.5/bin/python3\nResolved 6 packages in 69ms\nUpdated requests v2.32.3 -> v2.32.4\n"
DEBUG: Updated 1 package files (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Updated 1 lock files (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "updatedArtifacts": ["uv.lock"]
DEBUG: 2 file(s) to commit (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Preparing files for committing to branch renovate/pypi-requests-vulnerability (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Setting git author name: Renovate (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: Setting git author email: group_63368321_bot_479f8363da0578aa64d2a494bf991904@noreply.gitlab.com (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: git commit (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "deletedFiles": [],
       "ignoredFiles": [],
       "result": {
         "author": null,
         "branch": "renovate/pypi-requests-vulnerability",
         "commit": "b24a7e64222f4ee5e5e708295452213222516458",
         "root": false,
         "summary": {"changes": 1, "insertions": 4, "deletions": 4}
       }
DEBUG: Pushing refSpec renovate/pypi-requests-vulnerability:renovate/pypi-requests-vulnerability (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: git push (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "result": {
         "pushed": [
           {
             "deleted": false,
             "tag": false,
             "branch": true,
             "new": true,
             "alreadyUpdated": false,
             "local": "refs/heads/renovate/pypi-requests-vulnerability",
             "remote": "refs/heads/renovate/pypi-requests-vulnerability"
           }
         ],
         "ref": {"local": "refs/remotes/origin/renovate/pypi-requests-vulnerability"},
         "remoteMessages": {
           "all": [
             "To create a merge request for renovate/pypi-requests-vulnerability, visit:",
             "https://gitlab.com/xxx/code/renovate-test/-/merge_requests/new?merge_request%5Bsource_branch%5D=renovate%2Fpypi-requests-vulnerability"
           ],
           "pullRequestUrl": "https://gitlab.com/xxx/code/renovate-test/-/merge_requests/new?merge_request%5Bsource_branch%5D=renovate%2Fpypi-requests-vulnerability"
         }
       }
DEBUG: Setting current branch to dev (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
DEBUG: latest commit (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)
       "branchName": "dev",
       "latestCommitDate": "2025-06-16T16:01:21+02:00",
       "sha": "d75b3ff9c2da495271b9463b1c7409f509619de8"
 INFO: Branch created (repository=xxx/code/renovate-test, branch=renovate/pypi-requests-vulnerability)