Detect redundant override-dependencies / constraint-dependencies in uv projects

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for iwamot from gravatar.com iwamot

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Takashi Iwamoto
  • Tags audit , dependencies , override , prune , uv
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

uv-override-prune

CI codecov PyPI Python License: MIT

Detect prunable override-dependencies / constraint-dependencies entries in uv projects.

Install

uv tool install uv-override-prune

Or run it without installing — useful for one-off checks:

uvx uv-override-prune

Usage

# Detect prunable entries (default)
uv-override-prune                          # checks ./pyproject.toml
uv-override-prune path/to/pyproject.toml   # checks given file

# Remove prunable entries in place
uv-override-prune --fix

Example output:

=== override-dependencies (3 entries) ===
[KEEP]  aiohttp>=3.13.5    3.13.3
[PRUNE] httpx>=0.1.0       0.28.1
[SKIP]  foo==1.0           -

Run with --fix to prune entries marked [PRUNE].

Exit codes:

Code Meaning
0 No prunable entries (or --fix succeeded)
1 Prunable entries found (without --fix)
2 pyproject.toml not found

Why

uv lets you pin a transitive dependency version via [tool.uv] override-dependencies and constraint-dependencies. A common reason to reach for these is CVE mitigation: a vulnerability is disclosed in a transitive package, and you force the patched minimum version while waiting for direct deps to require it naturally. Once they catch up, the entry is no longer doing anything — but it's easy to forget which ones are still load-bearing, and stale overrides become a judgment cost at every audit or upgrade ("is this still needed, or just history?"). uv-override-prune answers that mechanically by checking whether each entry's lower bound is already satisfied by natural resolution.

Scope

  • Targets entries in [tool.uv] override-dependencies and constraint-dependencies.
  • Only entries whose specifier uses >= and/or > are checked. Entries using ==, ~=, <, <=, != (alone or mixed) are skipped.
  • One-at-a-time detection: removes each entry in a temp copy of pyproject.toml, runs uv lock, and checks whether the natural resolution still satisfies the entry's specifier.

Known limitations

  • Projects with a [build-system] section may fail to lock in the temp dir if they depend on source files (e.g. setuptools.packages.find, Hatch dynamic version from source). [tool.uv.sources] path deps, workspace members, and [project] readme are rewritten automatically; other build-backend-specific references are not.
  • One-at-a-time evaluation: if overrides interact (e.g. cascade redundancy, shared transitive deps), individual runs may miss some prunable entries. Re-run after applying removals to surface the next layer.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for iwamot from gravatar.com iwamot

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Takashi Iwamoto
  • Tags audit , dependencies , override , prune , uv
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.0.10

0.0.9

0.0.8

0.0.7

0.0.6

This version

0.0.5

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

uv_override_prune-0.0.5.tar.gz (10.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

uv_override_prune-0.0.5-py3-none-any.whl (9.9 kB view details)

Uploaded Python 3

File details

Details for the file uv_override_prune-0.0.5.tar.gz.

File metadata

  • Download URL: uv_override_prune-0.0.5.tar.gz
  • Upload date:
  • Size: 10.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: uv/0.11.7 {"installer":{"name":"uv","version":"0.11.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for uv_override_prune-0.0.5.tar.gz
Algorithm Hash digest
SHA256 0fffff60a99ee8ca2ddac5a253ddbdbf5cfbe34956af7433911b06e433610a75
MD5 0a8e2121c7f85c39a33be6b3209fffa4
BLAKE2b-256 7418d07d5dd3f9444a9c9caa370f27f8adc68a17ee098d1fdd8fece469a4a3b4

See more details on using hashes here.

File details

Details for the file uv_override_prune-0.0.5-py3-none-any.whl.

File metadata

  • Download URL: uv_override_prune-0.0.5-py3-none-any.whl
  • Upload date:
  • Size: 9.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: uv/0.11.7 {"installer":{"name":"uv","version":"0.11.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for uv_override_prune-0.0.5-py3-none-any.whl
Algorithm Hash digest
SHA256 f30dcc77b3df0290f9ca4bde811e9094e3b9a8b1e3d8a1fc12eb6bb8773c37aa
MD5 2d0c72177e4f87cf85634381ec642e1b
BLAKE2b-256 8816da5e4b6935d90ea1ba8f2534e5ff2a95d8f4a5dda34dd94c30d9e46f9807

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page