Skip to content

Missing uv.lock file— uvx mcp-scan@latest fails #53

New issue
New issue
Closed
Closed
Missing uv.lock file— uvx mcp-scan@latest fails#53
Assignees
mmilanta
@roaguirre

Description

@roaguirre
roaguirre
opened on Jun 6, 2025

Without the uv.lock file builds are not reproducible.

I'm seeing this issue when running uvx mcp-scan@latest

% uvx mcp-scan@latest
Installed 104 packages in 155ms
Invariant MCP-scan v0.2.1

Traceback (most recent call last):
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/bin/mcp-scan", line 12, in <module>
    sys.exit(run())
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/mcp_scan/run.py", line 7, in run
    asyncio.run(main())
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/mcp_scan/cli.py", line 475, in main
    asyncio.run(run_scan_inspect(args=args))
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/asyncio/base_events.py", line 649, in run_until_complete
    return future.result()
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/mcp_scan/cli.py", line 499, in run_scan_inspect
    result = await scanner.scan()
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/mcp_scan/MCPScanner.py", line 242, in scan
    result_awaited = await asyncio.gather(*result)
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/mcp_scan/MCPScanner.py", line 194, in scan_path
    path_result = await verify_scan_path(path_result, base_url=self.base_url, run_locally=self.local_only)
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/mcp_scan/verify_api.py", line 101, in verify_scan_path
    return await verify_scan_path_public_api(scan_path, base_url)
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/mcp_scan/verify_api.py", line 22, in verify_scan_path_public_api
    output_path = scan_path.model_copy(deep=True)
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/pydantic/main.py", line 406, in model_copy
    copied = self.__deepcopy__() if deep else self.__copy__()
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/pydantic/main.py", line 940, in __deepcopy__
    _object_setattr(m, '__dict__', deepcopy(self.__dict__, memo=memo))
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 231, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 206, in _deepcopy_list
    append(deepcopy(a, memo))
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 153, in deepcopy
    y = copier(memo)
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/pydantic/main.py", line 940, in __deepcopy__
    _object_setattr(m, '__dict__', deepcopy(self.__dict__, memo=memo))
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 231, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 153, in deepcopy
    y = copier(memo)
  File "/Users/raguirre/.cache/uv/archive-v0/sRiMVIp0Gsi1mvHl1JdTu/lib/python3.10/site-packages/pydantic/main.py", line 940, in __deepcopy__
    _object_setattr(m, '__dict__', deepcopy(self.__dict__, memo=memo))
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 231, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 172, in deepcopy
    y = _reconstruct(x, memo, *rv)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 265, in _reconstruct
    y = func(*args)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 264, in <genexpr>
    args = (deepcopy(arg, memo) for arg in args)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 206, in _deepcopy_list
    append(deepcopy(a, memo))
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 172, in deepcopy
    y = _reconstruct(x, memo, *rv)
  File "/Users/raguirre/.local/share/uv/python/cpython-3.10.17-macos-aarch64-none/lib/python3.10/copy.py", line 265, in _reconstruct
    y = func(*args)
TypeError: HTTPStatusError.__init__() missing 2 required keyword-only arguments: 'request' and 'response'

How a uv.lock File Would Prevent This

A uv.lock file would solve this issue by:

  • Version Pinning: It locks exact versions of all dependencies that are known to work together, preventing automatic updates to incompatible versions.
  • Reproducible Builds: Every installation would use the same dependency tree that was tested and verified to work.
  • Controlled Updates: Dependency updates would be explicit and testable, rather than happening automatically when using @latest.
  • Dependency Resolution: It ensures the entire dependency graph is compatible, not just the top-level package.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions