Background
The standards manifest now requires uv as the primary Python package manager (TOOL-013, severity: critical, added 2026-05-24). This repo currently uses Poetry.
Why migrate
- Renovate coverage gap: the org-standard Renovate config uses the
pep621 manager, which reads PEP 621 [project.dependencies]. It does NOT read Poetry's [tool.poetry] table. This repo is currently receiving zero Renovate dependency PRs as a result.
- Fleet-wide impact: the 2026-05-24 audit found 166 of 350 currently-open Dependabot alerts are in repos with this exact misconfiguration. Most of those are critical/high severity.
- Ecosystem standardization: uv uses the PEP 621
[project] table, which is the ecosystem standard the rest of the Python world has converged on.
- Performance: uv resolves and installs roughly 10-100x faster than Poetry, which compounds in CI.
Migration steps
- Install uv if not already present:
pipx install uv or curl -LsSf https://astral.sh/uv/install.sh | sh.
- Convert
pyproject.toml:
[tool.poetry] metadata -> [project] table (name, version, description, authors as PEP 621)
[tool.poetry.dependencies] -> [project.dependencies] (convert Poetry's ^x.y constraints to PEP 508 syntax)
[tool.poetry.group.dev.dependencies] (or [tool.poetry.dev-dependencies]) -> [dependency-groups.dev] (PEP 735)
- Remove all
[tool.poetry*] tables after conversion.
- Generate the lockfile:
uv lock.
- Delete
poetry.lock.
- Update CI workflows: replace
poetry install / poetry run with uv sync / uv run.
- Update
renovate.json: change enabledManagers from ["poetry", ...] to ["pep621", ...] if the repo overrides this field. Do NOT use "uv" -- Renovate 42.92.x rejects it (see feedback_renovate_uv_manager_trap.md).
- Verify the renovate.json by running
npx --yes --package renovate -- renovate-config-validator renovate.json.
Acceptance criteria
References
- Standards manifest: TOOL-013 (uv as primary Python package manager)
- Memory: feedback_renovate_uv_manager_trap.md (why "uv" is NOT the correct Renovate manager name)
- Fleet audit: docs/audits/dependabot-renovate-coverage-2026-05-24.md
Background
The standards manifest now requires uv as the primary Python package manager (TOOL-013, severity: critical, added 2026-05-24). This repo currently uses Poetry.
Why migrate
pep621manager, which reads PEP 621[project.dependencies]. It does NOT read Poetry's[tool.poetry]table. This repo is currently receiving zero Renovate dependency PRs as a result.[project]table, which is the ecosystem standard the rest of the Python world has converged on.Migration steps
pipx install uvorcurl -LsSf https://astral.sh/uv/install.sh | sh.pyproject.toml:[tool.poetry]metadata ->[project]table (name, version, description, authors as PEP 621)[tool.poetry.dependencies]->[project.dependencies](convert Poetry's^x.yconstraints to PEP 508 syntax)[tool.poetry.group.dev.dependencies](or[tool.poetry.dev-dependencies]) ->[dependency-groups.dev](PEP 735)[tool.poetry*]tables after conversion.uv lock.poetry.lock.poetry install/poetry runwithuv sync/uv run.renovate.json: changeenabledManagersfrom["poetry", ...]to["pep621", ...]if the repo overrides this field. Do NOT use"uv"-- Renovate 42.92.x rejects it (see feedback_renovate_uv_manager_trap.md).npx --yes --package renovate -- renovate-config-validator renovate.json.Acceptance criteria
pyproject.tomlhas a[project]table; no[tool.poetry*]tables remain.uv.lockis present;poetry.lockis deleted.uv sync/uv run(nopoetryinvocations).enabledManagers, it includespep621(notpoetry, notuv).renovate-config-validatorpasses locally on renovate.json.References