Skip to content

Migrate from Poetry to uv (TOOL-013 compliance) #146

Description

@williaby

Background

The standards manifest now requires uv as the primary Python package manager (TOOL-013, severity: critical, added 2026-05-24). This repo currently uses Poetry.

Why migrate

  • Renovate coverage gap: the org-standard Renovate config uses the pep621 manager, which reads PEP 621 [project.dependencies]. It does NOT read Poetry's [tool.poetry] table. This repo is currently receiving zero Renovate dependency PRs as a result.
  • Fleet-wide impact: the 2026-05-24 audit found 166 of 350 currently-open Dependabot alerts are in repos with this exact misconfiguration. Most of those are critical/high severity.
  • Ecosystem standardization: uv uses the PEP 621 [project] table, which is the ecosystem standard the rest of the Python world has converged on.
  • Performance: uv resolves and installs roughly 10-100x faster than Poetry, which compounds in CI.

Migration steps

  1. Install uv if not already present: pipx install uv or curl -LsSf https://astral.sh/uv/install.sh | sh.
  2. Convert pyproject.toml:
    • [tool.poetry] metadata -> [project] table (name, version, description, authors as PEP 621)
    • [tool.poetry.dependencies] -> [project.dependencies] (convert Poetry's ^x.y constraints to PEP 508 syntax)
    • [tool.poetry.group.dev.dependencies] (or [tool.poetry.dev-dependencies]) -> [dependency-groups.dev] (PEP 735)
    • Remove all [tool.poetry*] tables after conversion.
  3. Generate the lockfile: uv lock.
  4. Delete poetry.lock.
  5. Update CI workflows: replace poetry install / poetry run with uv sync / uv run.
  6. Update renovate.json: change enabledManagers from ["poetry", ...] to ["pep621", ...] if the repo overrides this field. Do NOT use "uv" -- Renovate 42.92.x rejects it (see feedback_renovate_uv_manager_trap.md).
  7. Verify the renovate.json by running npx --yes --package renovate -- renovate-config-validator renovate.json.

Acceptance criteria

  • pyproject.toml has a [project] table; no [tool.poetry*] tables remain.
  • uv.lock is present; poetry.lock is deleted.
  • CI workflows use uv sync / uv run (no poetry invocations).
  • If renovate.json overrides enabledManagers, it includes pep621 (not poetry, not uv).
  • renovate-config-validator passes locally on renovate.json.
  • First Renovate dependency PR appears within one weekly cycle of merge.

References

  • Standards manifest: TOOL-013 (uv as primary Python package manager)
  • Memory: feedback_renovate_uv_manager_trap.md (why "uv" is NOT the correct Renovate manager name)
  • Fleet audit: docs/audits/dependabot-renovate-coverage-2026-05-24.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions