From 85655572b7551ddd512850c6baade21016d9e87d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20Vask=C3=B3?=
 <1771332+vlaci@users.noreply.github.com>
Date: Fri, 19 Sep 2025 12:43:14 +0200
Subject: [PATCH 1/2] chore(deps): annd version constraint to all dependencies
 for renovate

At least when using the PEP621 backend (uv), renovate only cares about
dependencies which have at least one constraint, otherwise it bypasses
them.

This can see from the logs:

          {
            "datasource": "pypi",
            "depName": "pyzstd",
            "depType": "project.dependencies",
            "lockedVersion": "0.17.0",
            "packageName": "pyzstd",
            "skipReason": "unspecified-version",
            "updates": []
          },

https://developer.mend.io/github/onekey-sec/unblob
---
 pyproject.toml | 2 +-
 uv.lock        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 897d67cfd7..b68dd8599b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -21,7 +21,7 @@ dependencies = [
   "pymdown-extensions>=10.15",
   "pyperscan>=0.3.0",
   "python-magic>=0.4.27",
-  "pyzstd",
+  "pyzstd>0.16.2",
   "rarfile>=4.1",
   "rich>=13.3.5",
   "structlog>=24.1.0",
diff --git a/uv.lock b/uv.lock
index e86544752f..46128c4276 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1874,7 +1874,7 @@ requires-dist = [
     { name = "pymdown-extensions", specifier = ">=10.15" },
     { name = "pyperscan", specifier = ">=0.3.0" },
     { name = "python-magic", specifier = ">=0.4.27" },
-    { name = "pyzstd" },
+    { name = "pyzstd", specifier = ">0.16.2" },
     { name = "rarfile", specifier = ">=4.1" },
     { name = "rich", specifier = ">=13.3.5" },
     { name = "structlog", specifier = ">=24.1.0" },

From 636be08f6a4079a1f00f848bcd3aeaa5dd002061 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20Vask=C3=B3?=
 <1771332+vlaci@users.noreply.github.com>
Date: Fri, 19 Sep 2025 12:46:40 +0200
Subject: [PATCH 2/2] chore(renovate): update python packages even when change
 is only needed in uv.lock

Since some time around April, renovate started to update only
packages, where `pyproject.toml` update was needed (constraints
update).

I have not found documentation about this change, only a github discussion[^1].

Meaning of rangeStrategy=update-lockfile[^2] option:

> Update the lock file when in-range updates are available, otherwise
> replace for updates out of range.

And replace:

> Replace the range with a newer one if the new version falls outside
> it, and update nothing otherwise

[^1]: https://github.com/renovatebot/renovate/discussions/36286
[^2]: https://docs.renovatebot.com/configuration-options/#rangestrategy
---
 renovate.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/renovate.json b/renovate.json
index f76f72ed6a..ff556db5c9 100644
--- a/renovate.json
+++ b/renovate.json
@@ -24,6 +24,9 @@
     "enabled": true,
     "description": "opt-in support for nix https://docs.renovatebot.com/modules/manager/nix/#enabling"
   },
+  "pep621": {
+    "rangeStrategy": "update-lockfile"
+  },
   "pre-commit": {
     "enabled": true,
     "description": "opt-in support for pre-commit  https://docs.renovatebot.com/modules/manager/nix/#enabling"