Use uv highest resolution by default#142
Merged
anuraaga merged 3 commits intoconnectrpc:mainfrom Feb 26, 2026
Merged
Conversation
Signed-off-by: Anuraag Agrawal <anuraaga@gmail.com>
anuraaga
force-pushed
the
default-highest
branch
from
e61d00d to
8b542ea
Compare
stefanvanburen
approved these changes
Feb 25, 2026
stefanvanburen
added a commit
to bufbuild/protovalidate-python
that referenced
this pull request
Feb 25, 2026
This switches our version resolution back to the default of "highest", but leaves around our testing of our entire version range in CI. This more closely follows [the recommendation of the uv team][1] for libraries. This should help with resolving some of the GitHub security alerts we get on this repository. [1]: https://docs.astral.sh/uv/concepts/resolution/#resolution-strategy Ref: connectrpc/connect-python#142 Ref: #373 Ref: astral-sh/uv#18178 (comment)
stefanvanburen
added a commit
to bufbuild/protovalidate-python
that referenced
this pull request
Feb 26, 2026
This switches our version resolution back to the default of "highest", but leaves around our testing of our entire version range in CI. This more closely follows [the recommendation of the uv team][1] for libraries. This should help with resolving some of the GitHub security alerts we get on this repository. [1]: https://docs.astral.sh/uv/concepts/resolution/#resolution-strategy Ref: connectrpc/connect-python#142 Ref: #373 Ref: astral-sh/uv#18178 (comment)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This makes it harder to have potentially flagged vulnerabilities in our lock file like in #124. Some users point a CVE scanner at a github repo before using a project and even though it's reasonable to expect users to keep their dependency up to date, I've come to accept it's easiest to go with the flow and ensure there aren't any CVEs detectable as much as possible.
The risk is using a feature from a newer version than our pin, but CI will catch it and I think it is very unlikely to happen in practice, especially with our low dependency count.