10BC0 Migrate to uv package manager by lukasmasuch · Pull Request #13622 · streamlit/streamlit · GitHub
[go: up one dir, main page]
Skip to content

Migrate to uv package manager #13622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lukasmasuch wants to merge 43 commits into
base: develop
Choose a base branch
from
Open

Migrate to uv package manager #13622

lukasmasuch wants to merge 43 commits into from

Conversation

@lukasmasuch
Copy link
Collaborator
@lukasmasuch lukasmasuch commented Jan 17, 2026
edited
Loading

Describe your changes

Consolidates Streamlit's Python packaging to use uv as the primary package manager.

  • Package definition migrated to lib/pyproject.toml
  • Tool configurations consolidated in root pyproject.toml (ruff, mypy, ty, dependency groups)
  • All Makefile targets updated to use uv run for proper venv isolation
  • CI workflows updated to use uv; old requirements files removed
  • Maintains backward compatibility where needed (e.g., custom components)

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

@lukasmasuch @claude
Migrate from setup.py to uv package manager (Option C: Hybrid Approach)
8c3bdc4 
Consolidate Python packaging to use uv as the primary package manager while maintaining
backward compatibility where needed. This includes migrating package definition to
lib/pyproject.toml, consolidating tool configs in root pyproject.toml, and updating all
Makefile targets and CI workflows to use `uv run` for proper virtual environment isolation.

Co-Authored-By: Claude <noreply@anthropic.com>
@lukasmasuch lukasmasuch requested a review from a team as a code owner January 17, 2026 01:16
Copilot AI review requested due to automatic review settings January 17, 2026 01:16
@snyk-io
Copy link
Contributor
snyk-io bot commented Jan 17, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@github-actions
Copy link
Contributor
github-actions bot commented Jan 17, 2026
edited
Loading

✅ PR preview is ready!

Name Link
📦 Wheel file https://core-previews.s3-us-west-2.amazonaws.com/pr-13622/streamlit-1.53.1-py3-none-any.whl
📦 @streamlit/component-v2-lib Download from artifacts
🕹️ Preview app pr-13622.streamlit.app (☁️ Deploy here if not accessible)

graphite-app[bot]
graphite-app bot reviewed Jan 17, 2026
View reviewed changes
@lukasmasuch lukasmasuch changed the title Migrate to uv package manager (Option C: Hybrid Approach) Migrate to uv package manager Jan 17, 2026
Copilot AI reviewed Jan 17, 2026
View reviewed changes
Copy link
Contributor
Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request migrates Streamlit's Python package management to use uv following the "Hybrid Approach" (Option C). The package definition moves from lib/setup.py to lib/pyproject.toml, tool configurations consolidate in the root pyproject.toml, and all development workflows are updated to use uv run for proper environment isolation.

Changes:

  • Package definition migrated from lib/setup.py to lib/pyproject.toml with proper PEP 517/518/621 compliance
  • Tool configurations (ruff, mypy, ty, pytest, coverage) consolidated from separate config files (.ruff.toml, mypy.ini, etc.) to pyproject.toml files
  • Development/test/integration dependencies moved from .txt files to PEP 735 dependency groups in root pyproject.toml
  • All Makefile targets and CI workflows updated to use uv sync and uv run commands
  • Scripts updated to work with pyproject.toml instead of setup.py

Reviewed changes

Copilot reviewed 34 out of 35 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
uv-migration.md Comprehensive migration plan documentation (new)
pyproject.toml Root development environment config with tool configs and dependency groups (new)
lib/pyproject.toml Package definition replacing setup.py (new)
lib/setup.py Removed - replaced by pyproject.toml
.ruff.toml Removed - migrated to pyproject.toml
mypy.ini Removed - migrated to pyproject.toml
ty.toml Removed - migrated to pyproject.toml
lib/.coveragerc Removed - migrated to lib/pyproject.toml
lib/dev-requirements.txt Removed - migrated to dependency groups
lib/test-requirements.txt Removed - migrated to dependency groups
lib/integration-requirements.txt Removed - migrated to dependency groups
scripts/verify_version.py New script replacing setup.py verify command
scripts/update_version.py Updated regex to match pyproject.toml version field
scripts/update_name.py Updated regex to match pyproject.toml name field
scripts/sync_ruff_version.py Updated to read ruff version from pyproject.toml
Makefile All Python targets updated to use uv sync and uv run
lib/conda-recipe/meta.yaml Updated to load version from pyproject.toml
.github/workflows/* CI workflows updated for uv
.github/dependabot.yml Changed package-ecosystem from pip to uv
lib/tests/AGENTS.md Updated pytest commands to use uv run
lib/AGENTS.md Updated config file references
.gitignore Added uv.lock
Comments suppressed due to low confidence (1)

Makefile:117

  • Running protoc with uv run is incorrect. The protoc command is a system binary (the Protocol Buffer compiler), not a Python script that should be executed through uv. This will cause the protobuf compilation to fail because uv will try to find protoc as a Python package. The line should just be protoc without the uv run prefix.
	uv run protoc \
		--proto_path=proto \
		--python_out=lib \
		--mypy_out=lib \
		proto/streamlit/proto/*.proto

@lukasmasuch @claude
Fix CI failures from UV migration
2db6f06 
- Change venv directory from 'venv' to '.venv' to align with uv's default
  - Update make_init action to use .venv for cache and activation
  - Update cache key version to v2 to invalidate old caches
  - Update all workflow files that reference venv/bin/activate
- Fix mypy errors in scripts/verify_version.py
  - Simplify tomllib import logic
  - Add explicit type annotation to avoid Any return
- Fix conda recipe to find pyproject.toml in correct location
  - Change path from 'pyproject.toml' to '../pyproject.toml'

Co-Authored-By: Claude <noreply@anthropic.com>
@lukasmasuch lukasmasuch added security-assessment-completed Security assessment has been completed for PR impact:internal PR changes only affect internal code change:refactor PR contains code refactoring without behavior change labels Jan 17, 2026
@lukasmasuch
Copy link
Collaborator Author
lukasmasuch commented Jan 17, 2026

@cursor review

@lukasmasuch @claude
Fix additional CI failures
076d594 
- Remove unused type: ignore comment from scripts/verify_version.py
  (tomli is a typed package, so type checkers find it correctly)
- Remove pip check from conda recipe test section since Snowpark builds
  intentionally exclude some dependencies which would cause pip check to fail

Co-Authored-By: Claude <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Jan 17, 2026
View reviewed changes
Copy link
@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

lukasmasuch and others added 14 commits January 17, 2026 02:51
@lukasmasuch
Update
b30b875
@lukasmasuch
Fix
3cf9b34
@lukasmasuch
More fixes
ca67416
@lukasmasuch
Update
08761da
@lukasmasuch
Update
ef67c9d
@lukasmasuch
Update
c7fcd23
@lukasmasuch @claude
Update documentation for uv migration
b469f24 
- CONTRIBUTING.md: Update development setup instructions to use uv
  - Simplify Python environment section (uv handles venv automatically)
  - Update Python unit test commands to use `uv run pytest`
  - Update Streamlit run instructions to use `uv run`
  - Simplify troubleshooting section
  - Remove manual venv creation from Ubuntu setup
- wiki/running-e2e-tests.md: Update pytest command to use `uv run`
- .cursor/rules/new_feature.mdc: Update pytest command to use `uv run`

Co-Authored-By: Claude <noreply@anthropic.com>
@lukasmasuch @claude
Fix CI venv cache key to include Python version
7c29b1d 
The cache key was not including the Python version, causing all jobs
to share the same cached venv regardless of which Python version they
needed. This resulted in errors like "No virtual environment found for
Python 3.10" when the cache was created with Python 3.12.

Fix: Include the Python version in the cache key to ensure each Python
version gets its own cached virtual environment. Also bump version to v3
to force fresh caches.

Co-Authored-By: Claude <noreply@anthropic.com>
@lukasmasuch
Add type ignore
fd27ff4
@lukasmasuch
Update
3977aff
@lukasmasuch
Merge remote-tracking branch 'upstream/develop' into lukasmasuch/uv-m…
59a01f9 
…igration-plan
@lukasmasuch
Update
c10a258
@lukasmasuch
Fix
7eeeed9
@lukasmasuch
Update
255c16d
@lukasmasuch lukasmasuch added the ai-review If applied to PR or issue will run AI review workflow label Jan 20, 2026
@github-actions github-actions bot removed the ai-review If applied to PR or issue will run AI review workflow label Jan 20, 2026
@streamlit streamlit deleted a comment from github-actions bot Jan 20, 2026
@github-actions
Copy link
Contributor
github-actions bot commented Jan 20, 2026
edited
Loading

📉 Frontend coverage change detected

The frontend unit test (vitest) coverage has decreased by 0.0000%

  • Current PR: 86.2500% (13540 lines, 1861 missed)
  • Latest develop: 86.2500% (13540 lines, 1861 missed)

✅ Coverage change is within normal range.

📊 View detailed coverage comparison

@streamlit streamlit deleted a comment from github-actions bot Jan 20, 2026
@lukasmasuch lukasmasuch added the ai-review If applied to PR or issue will run AI review workflow label Jan 20, 2026
@github-actions github-actions bot removed the ai-review If applied to PR or issue will run AI review workflow label Jan 20, 2026
@github-actions
Copy link
Contributor
github-actions bot commented Jan 20, 2026

Summary

This PR migrates Streamlit's Python packaging infrastructure from the traditional setup.py approach to the modern uv package manager. The key changes include:

  • Package definition: Migrated from lib/setup.py to lib/pyproject.toml
  • Tool configurations: Consolidated ruff, mypy, ty, pytest, and coverage configs into the root pyproject.toml and lib/pyproject.toml
  • Dependency management: Replaced dev-requirements.txt, test-requirements.txt, and integration-requirements.txt with PEP 735 dependency groups
  • Makefile: Updated all targets to use uv run for proper venv isolation
  • CI workflows: Updated all GitHub Actions workflows to use astral-sh/setup-uv@v7
  • Conda recipe: Updated lib/conda-recipe/meta.yaml to use load_file_data instead of load_setup_py_data()

Code Quality

Strengths

  1. Clean pyproject.toml structure: Both lib/pyproject.toml and root pyproject.toml are well-organized with clear section comments and logical grouping of dependencies.

  2. Proper dependency grouping (pyproject.toml:45-152): The PEP 735 dependency groups are well-designed with dev including test, and integration including test + additional dependencies. The version constraints are appropriate and well-documented.

  3. Robust caching in CI (.github/actions/make_init/action.yml:102-114): The added venv validation check that detects broken symlinks and recreates the venv is a good defensive measure:

    - name: Check if venv is valid
  if: steps.cache-virtualenv.outputs.cache-hit == 'true'
  run: |
    if .venv/bin/python --version > /dev/null 2>&1; then
      echo "valid=true" >> $GITHUB_OUTPUT
    else
      echo "::warning::Cached venv has broken symlinks, will recreate"
      echo "valid=false" >> $GITHUB_OUTPUT
      rm -rf .venv
    fi

  4. Consistent documentation updates: All AGENTS.md files, .cursor/rules/, and CONTRIBUTING.md have been updated to use uv run commands consistently.

  5. Well-documented conda recipe (lib/conda-recipe/meta.yaml): Clear comments explaining which dependencies are excluded for SNOWPARK_CONDA_BUILD and why.

Minor Observations

  1. New verify_version.py script (scripts/verify_version.py): This script provides good functionality for verifying git tags match package versions, but it doesn't appear to be explicitly called in the release workflow. The script is well-written with proper Python 3.10 compatibility (tomllib/tomli fallback), but consider documenting its intended usage or integrating it into the release process.

  2. Ray test improvements (lib/tests/streamlit/dataframe_util_test.py:594-621): The addition of @pytest.mark.timeout(60) and explicit Ray initialization with limited resources is a good fix for CI hangs. The environment variable settings and initialization parameters are appropriate.

Test Coverage

Python Tests

  1. streamlit_test.py updates (lib/tests/streamlit/streamlit_test.py:44-53): The get_version() function was properly updated to parse pyproject.toml using tomllib instead of regex-based parsing. This is cleaner and more robust.

  2. tomli dependency (pyproject.toml:88-89): The tomli>=2.0.0; python_version < '3.11' conditional dependency ensures Python 3.10 compatibility, which aligns with the project's minimum Python version requirement.

  3. mypy ignore for tomllib/tomli (pyproject.toml:399-401): Properly configured to handle both Python 3.10 (where tomllib doesn't exist) and Python 3.11+ (where tomli isn't needed).

No New E2E Tests Required

This PR is infrastructure/tooling focused and doesn't introduce new features or modify frontend behavior, so no new E2E tests are needed.

Backwards Compatibility

Maintained Compatibility

  1. Package structure unchanged: The actual streamlit package installed by users remains identical - same dependencies, same entry points, same optional extras.

  2. Build backend: Uses setuptools.build_meta as the build backend (lib/pyproject.toml:17), maintaining compatibility with standard Python packaging tools.

  3. Component library compatibility: The component-lib remains unaffected as it uses separate tooling.

  4. Conda builds: The updated meta.yaml properly handles the SNOWPARK_CONDA_BUILD environment variable and explicitly lists dependencies (previously extracted from setup.py).

Developer Environment Changes

  1. Requires uv: Developers now need uv installed. The Makefile (Makefile:127-130) automatically installs it via pip if not present:

    @if ! command -v uv > /dev/null 2>&1; then \
    echo "Installing uv..."; \
    pip install uv; \
fi

  2. venv location: Changed from venv to .venv directory, which is the uv default. The .gitignore already includes .venv.

  3. Minimum uv version: pyproject.toml:36 specifies required-version = ">=0.9.0" ensuring compatibility.

Security & Risk

Low Risk

  1. No production code changes: This PR only affects development/build tooling, not the runtime behavior of Streamlit.

  2. Trusted dependencies: The astral-sh/setup-uv@v7 action is from the official Astral (Ruff/uv creators) repository.

  3. GitHub token usage: The setup-uv action uses github-token for rate limiting, which is standard practice.

Considerations

  1. Ray integration test: The test now initializes Ray with limited resources (num_cpus=1, 100MB object store). While this prevents hangs, ensure this doesn't mask real issues with Ray integration in production environments.

Recommendations

  1. Consider adding verify_version.py to release workflow: While the current release process works by relying on the git tag, explicitly verifying that the tag matches lib/pyproject.toml version would add an extra safety check. This could be added to .github/workflows/release.yml before the package step:

    - name: Verify version matches tag
  run: uv run python scripts/verify_version.py --tag ${{ env.GIT_TAG }}

  2. Documentation note: Consider adding a note in CONTRIBUTING.md explaining that developers transitioning from the old setup may need to delete their venv directory since the new setup uses .venv.

  3. Ray test warning suppression: The Ray initialization in dataframe_util_test.py sets configure_logging=False and log_to_driver=False. Consider adding a brief comment explaining this is intentional to reduce noise in CI, not to hide issues.

Verdict

APPROVED: This PR represents a well-executed migration to modern Python packaging with uv. The changes are comprehensive, consistent across all affected files, and maintain backward compatibility for end users. The CI improvements (caching validation, Ray test fixes) are thoughtful additions. The migration follows Python packaging best practices (PEP 517/518/621/735) and will improve the developer experience with faster dependency resolution and better reproducibility.

This is an automated AI review. Please verify the feedback and use your judgment.

@github-actions github-actions bot added the do-not-merge PR is blocked from merging label Jan 20, 2026
@lukasmasuch @claude
Add version verification to release workflow and restore asyncio config
840a205 
- Add verify_version.py check to release.yml before packaging to ensure
  git tag matches pyproject.toml version (same as nightly.yml)
- Restore asyncio_default_fixture_loop_scope = "function" to pytest config
  that was present in the old pytest.ini

Co-Authored-By: Claude <noreply@anthropic.com>
@streamlit streamlit deleted a comment from github-actions bot Jan 20, 2026
@lukasmasuch lukasmasuch removed the do-not-merge PR is blocked from merging label Jan 20, 2026
@github-actions
Copy link
Contributor
github-actions bot commented Jan 20, 2026

Summary

This PR migrates Streamlit’s Python tooling and CI to uv/pyproject.toml, consolidates lint/type/test configs, removes legacy requirements files and setup.py, and updates workflows/docs accordingly.

Code Quality

The migration is generally clean and consistent across Makefile, CI, and config. One potential regression stands out:

  • Windows CLI script packaging may have been dropped. lib/setup.py previously installed bin/streamlit.cmd to ensure streamlit commands work on Windows. The new lib/pyproject.toml doesn’t declare this script, so the .cmd wrapper may no longer be included in wheels or conda builds. Please confirm this is intentionally removed or add the equivalent tool.setuptools entry so Windows users retain the wrapper.
[project.scripts]
streamlit = "streamlit.web.cli:main"

[project.urls]
Homepage = "https://streamlit.io"
Documentation = "https://docs.streamlit.io/"
"Source Code" = "https://github.com/streamlit/streamlit"
"Bug Tracker" = "https://github.com/streamlit/streamlit/issues"
"Release Notes" = "https://docs.streamlit.io/develop/quick-reference/changelog"
Community = "https://discuss.streamlit.io/"

[tool.setuptools]
zip-safe = false
include-package-data = true

[tool.setuptools.packages.find]
exclude = ["tests", "tests.*"]

# PEP 561: https://mypy.readthedocs.io/en/stable/installed_packages.html
[tool.setuptools.package-data]
streamlit = ["py.typed", "hello/**/*.py"]

Test Coverage

  • No new unit or e2e tests were added, which is acceptable for infra/config migrations.
  • The Ray integration test got a timeout and explicit init guard, which should reduce CI flakiness.
  • I didn’t run tests per instructions; CI should validate.

Backwards Compatibility

Potential compatibility risk on Windows if bin/streamlit.cmd is no longer packaged (see Code Quality section).

Security & Risk

No direct security concerns noted. Primary risk is Windows CLI regression if the .cmd wrapper is required by downstream tooling.

Recommendations

  1. Ensure lib/bin/streamlit.cmd is still packaged (or document why it’s safe to drop) by adding the equivalent tool.setuptools script entry or an explicit replacement.
  2. Consider parsing pyproject.toml via tomllib in scripts/sync_ruff_version.py instead of regex to avoid brittle formatting assumptions.

Verdict

CHANGES REQUESTED: Please confirm or restore Windows CLI script packaging to avoid a potential regression.

This is an automated AI review using gpt-5.2-codex-high. Please verify the feedback and use your judgment.

@github-actions github-actions bot added the do-not-merge PR is blocked from merging label Jan 20, 2026
@lukasmasuch lukasmasuch removed the do-not-merge PR is blocked from merging label Jan 20, 2026
@lukasmasuch
Copy link
Collaborator Author
lukasmasuch commented Jan 20, 2026

CHANGES REQUESTED: Please confirm or restore Windows CLI script packaging to avoid a potential regression.

This change is intended since the new setup can handle this out-of-the box

@github-actions
Copy link
Contributor
github-actions bot commented Jan 22, 2026
edited
Loading

📉 Python coverage change detected

The Python unit test coverage has decreased by 0.0302%

  • Current PR: 93.0906% (23157 statements, 1600 missed)
  • Latest develop: 93.1209% (23157 statements, 1593 missed)

💡 Consider adding more unit tests to maintain or improve coverage.

Coverage by files
Name Stmts Miss Cover
streamlit/__init__.py 136 0 100%
streamlit/__main__.py 3 3 0%
streamlit/auth_util.py 231 25 89%
streamlit/cli_util.py 39 6 85%
streamlit/column_config.py 3 0 100%
streamlit/commands/__init__.py 0 0 100%
streamlit/commands/echo.py 54 2 96%
streamlit/commands/execution_control.py 70 10 86%
streamlit/commands/logo.py 53 1 98%
streamlit/commands/navigation.py 106 2 98%
streamlit/commands/page_config.py 106 4 96%
streamlit/components/__init__.py 0 0 100%
streamlit/components/lib/__init__.py 0 0 100%
streamlit/components/lib/local_component_registry.py 35 2 94%
streamlit/components/types/__init__.py 0 0 100%
streamlit/components/types/base_component_registry.py 14 0 100%
streamlit/components/types/base_custom_component.py 48 6 88%
streamlit/components/v1/__init__.py 5 0 100%
streamlit/components/v1/component_arrow.py 33 2 94%
streamlit/components/v1/component_registry.py 41 3 93%
streamlit/components/v1/components.py 4 4 0%
streamlit/components/v1/custom_component.py 84 7 92%
streamlit/components/v2/__init__.py 27 0 100%
streamlit/components/v2/bidi_component/__init__.py 4 0 100%
streamlit/components/v2/bidi_component/constants.py 5 0 100%
streamlit/components/v2/bidi_component/main.py 148 17 89%
streamlit/components/v2/bidi_component/serialization.py 81 2 98%
streamlit/components/v2/bidi_component/state.py 13 0 100%
streamlit/components/v2/component_definition_resolver.py 30 0 100%
streamlit/components/v2/component_file_watcher.py 117 9 92%
streamlit/components/v2/component_manager.py 97 13 87%
streamlit/components/v2/component_manifest_handler.py 24 0 100%
streamlit/components/v2/component_path_utils.py 68 5 93%
streamlit/components/v2/component_registry.py 121 8 93%
streamlit/components/v2/get_bidi_component_manager.py 8 1 88%
streamlit/components/v2/manifest_scanner.py 227 25 89%
streamlit/components/v2/presentation.py 84 19 77%
streamlit/components/v2/types.py 8 8 0%
streamlit/config.py 415 12 97%
streamlit/config_option.py 79 3 96%
streamlit/config_util.py 288 7 98%
streamlit/connections/__init__.py 6 0 100%
streamlit/connections/base_connection.py 49 0 100%
streamlit/connections/snowflake_connection.py 98 16 84%
streamlit/connections/snowpark_connection.py 44 3 93%
streamlit/connections/sql_connection.py 56 6 89%
streamlit/connections/util.py 33 0 100%
streamlit/cursor.py 130 1 99%
streamlit/dataframe_util.py 506 47 91%
streamlit/delta_generator.py 250 7 97%
streamlit/delta_generator_singletons.py 74 7 91%
streamlit/deprecation_util.py 66 4 94%
streamlit/development.py 1 0 100%
streamlit/elements/__init__.py 0 0 100%
streamlit/elements/alert.py 60 0 100%
streamlit/elements/arrow.py 203 15 93%
streamlit/elements/balloons.py 10 0 100%
streamlit/elements/bokeh_chart.py 9 0 100%
streamlit/elements/code.py 20 1 95%
streamlit/elements/deck_gl_json_chart.py 104 10 90%
streamlit/elements/dialog_decorator.py 38 0 100%
streamlit/elements/doc_string.py 227 9 96%
streamlit/elements/empty.py 16 4 75%
streamlit/elements/exception.py 101 10 90%
streamlit/elements/form.py 56 2 96%
streamlit/elements/graphviz_chart.py 36 1 97%
streamlit/elements/heading.py 56 0 100%
streamlit/elements/html.py 49 0 100%
streamlit/elements/iframe.py 29 0 100%
streamlit/elements/image.py 32 0 100%
streamlit/elements/json.py 48 6 88%
streamlit/elements/layouts.py 140 3 98%
streamlit/elements/lib/__init__.py 0 0 100%
streamlit/elements/lib/built_in_chart_utils.py 391 26 93%
streamlit/elements/lib/color_util.py 100 4 96%
streamlit/elements/lib/column_config_utils.py 169 1 99%
streamlit/elements/lib/column_types.py 190 4 98%
streamlit/elements/lib/dialog.py 69 1 99%
streamlit/elements/lib/dicttools.py 39 2 95%
streamlit/elements/lib/file_uploader_utils.py 30 0 100%
streamlit/elements/lib/form_utils.py 26 0 100%
streamlit/elements/lib/image_utils.py 176 21 88%
streamlit/elements/lib/js_number.py 28 3 89%
streamlit/elements/lib/layout_utils.py 121 1 99%
streamlit/elements/lib/mutable_status_container.py 73 4 95%
streamlit/elements/lib/options_selector_utils.py 142 2 99%
streamlit/elements/lib/pandas_styler_utils.py 80 2 98%
streamlit/elements/lib/policies.py 56 1 98%
streamlit/elements/lib/shortcut_utils.py 42 2 95%
streamlit/elements/lib/streamlit_plotly_theme.py 48 0 100%
streamlit/elements/lib/subtitle_utils.py 76 5 93%
streamlit/elements/lib/utils.py 76 5 93%
streamlit/elements/map.py 110 1 99%
streamlit/elements/markdown.py 65 2 97%
streamlit/elements/media.py 181 8 96%
streamlit/elements/metric.py 104 0 100%
streamlit/elements/pdf.py 49 2 96%
streamlit/elements/plotly_chart.py 129 6 95%
streamlit/elements/progress.py 36 0 100%
streamlit/elements/pyplot.py 39 2 95%
streamlit/elements/snow.py 10 0 100%
streamlit/elements/space.py 12 0 100%
streamlit/elements/spinner.py 44 3 93%
streamlit/elements/text.py 16 0 100%
streamlit/elements/toast.py 26 0 100%
streamlit/elements/vega_charts.py 238 5 98%
streamlit/elements/widgets/__init__.py 0 0 100%
streamlit/elements/widgets/audio_input.py 68 1 99%
streamlit/elements/widgets/button.py 245 6 98%
streamlit/elements/widgets/button_group.py 171 1 99%
streamlit/elements/widgets/camera_input.py 62 1 98%
streamlit/elements/widgets/chat.py 237 38 84%
streamlit/elements/widgets/checkbox.py 52 0 100%
streamlit/elements/widgets/color_picker.py 59 2 97%
streamlit/elements/widgets/data_editor.py 254 14 94%
streamlit/elements/widgets/file_uploader.py 108 10 91%
streamlit/elements/widgets/multiselect.py 114 5 96%
streamlit/elements/widgets/number_input.py 146 4 97%
streamlit/elements/widgets/radio.py 103 5 95%
streamlit/elements/widgets/select_slider.py 122 2 98%
streamlit/elements/widgets/selectbox.py 97 3 97%
streamlit/elements/widgets/slider.py 241 8 97%
streamlit/elements/widgets/text_widgets.py 130 6 95%
streamlit/elements/widgets/time_widgets.py 425 21 95%
streamlit/elements/write.py 166 20 88%
streamlit/emojis.py 4 0 100%
streamlit/env_util.py 21 3 86%
streamlit/error_util.py 33 2 94%
streamlit/errors.py 184 25 86%
streamlit/external/__init__.py 0 0 100%
streamlit/external/langchain/__init__.py 2 0 100%
streamlit/external/langchain/streamlit_callback_handler.py 141 82 42%
streamlit/file_util.py 84 8 90%
streamlit/git_util.py 100 5 95%
streamlit/logger.py 54 0 100%
streamlit/material_icon_names.py 1 0 100%
streamlit/navigation/__init__.py 0 0 100%
streamlit/navigation/page.py 78 2 97%
streamlit/net_util.py 55 3 95%
streamlit/platform.py 10 1 90%
streamlit/runtime/__init__.py 8 0 100%
streamlit/runtime/app_session.py 456 85 81%
streamlit/runtime/caching/__init__.py 21 0 100%
streamlit/runtime/caching/cache_data_api.py 191 3 98%
streamlit/runtime/caching/cache_errors.py 44 4 91%
streamlit/runtime/caching/cache_resource_api.py 165 1 99%
streamlit/runtime/caching/cache_type.py 11 1 91%
streamlit/runtime/caching/cache_utils.py 176 9 95%
streamlit/runtime/caching/cached_message_replay.py 108 1 99%
streamlit/runtime/caching/hashing.py 310 25 92%
streamlit/runtime/caching/legacy_cache_api.py 14 0 100%
streamlit/runtime/caching/storage/__init__.py 2 0 100%
streamlit/runtime/caching/storage/cache_storage_protocol.py 29 0 100%
streamlit/runtime/caching/storage/dummy_cache_storage.py 21 0 100%
streamlit/runtime/caching/storage/in_memory_cache_storage_wrapper.py 67 1 99%
streamlit/runtime/caching/storage/local_disk_cache_storage.py 86 4 95%
streamlit/runtime/caching/ttl_cleanup_cache.py 28 0 100%
streamlit/runtime/connection_factory.py 96 11 89%
streamlit/runtime/context.py 137 0 100%
streamlit/runtime/context_util.py 18 0 100%
streamlit/runtime/credentials.py 139 4 97%
streamlit/runtime/download_data_util.py 27 0 100%
streamlit/runtime/forward_msg_cache.py 23 2 91%
streamlit/runtime/forward_msg_queue.py 63 4 94%
streamlit/runtime/fragment.py 112 2 98%
streamlit/runtime/media_file_manager.py 110 7 94%
streamlit/runtime/media_file_storage.py 15 0 100%
streamlit/runtime/memory_media_file_storage.py 73 0 100%
streamlit/runtime/memory_session_storage.py 15 0 100%
streamlit/runtime/memory_uploaded_file_manager.py 46 1 98%
streamlit/runtime/metrics_util.py 195 13 93%
streamlit/runtime/pages_manager.py 59 2 97%
streamlit/runtime/runtime.py 253 16 94%
streamlit/runtime/runtime_util.py 30 1 97%
streamlit/runtime/script_data.py 16 0 100%
streamlit/runtime/scriptrunner/__init__.py 5 0 100%
streamlit/runtime/scriptrunner/exec_code.py 49 5 90%
streamlit/runtime/scriptrunner/magic.py 83 1 99%
streamlit/runtime/scriptrunner 2338 /magic_funcs.py 10 1 90%
streamlit/runtime/scriptrunner/script_cache.py 27 0 100%
streamlit/runtime/scriptrunner/script_runner.py 235 27 89%
streamlit/runtime/scriptrunner_utils/__init__.py 0 0 100%
streamlit/runtime/scriptrunner_utils/exceptions.py 9 1 89%
streamlit/runtime/scriptrunner_utils/script_requests.py 106 5 95%
streamlit/runtime/scriptrunner_utils/script_run_context.py 118 0 100%
streamlit/runtime/secrets.py 241 25 90%
streamlit/runtime/session_manager.py 71 2 97%
streamlit/runtime/state/__init__.py 7 0 100%
streamlit/runtime/state/common.py 55 1 98%
streamlit/runtime/state/presentation.py 19 4 79%
streamlit/runtime/state/query_params.py 274 6 98%
streamlit/runtime/state/query_params_proxy.py 71 0 100%
streamlit/runtime/state/safe_session_state.py 77 9 88%
streamlit/runtime/state/session_state.py 503 36 93%
streamlit/runtime/state/session_state_proxy.py 62 8 87%
streamlit/runtime/state/widgets.py 19 0 100%
streamlit/runtime/stats.py 132 4 97%
streamlit/runtime/theme_util.py 46 1 98%
streamlit/runtime/uploaded_file_manager.py 39 3 92%
streamlit/runtime/websocket_session_manager.py 116 0 100%
streamlit/source_util.py 36 1 97%
streamlit/starlette.py 2 0 100%
streamlit/string_util.py 93 9 90%
streamlit/temporary_directory.py 18 1 94%
streamlit/testing/__init__.py 0 0 100%
streamlit/testing/v1/__init__.py 2 0 100%
streamlit/testing/v1/app_test.py 242 5 98%
streamlit/testing/v1/element_tree.py 1372 81 94%
streamlit/testing/v1/local_script_runner.py 71 2 97%
streamlit/testing/v1/util.py 17 0 100%
streamlit/time_util.py 28 1 96%
streamlit/type_util.py 148 16 89%
streamlit/url_util.py 39 4 90%
streamlit/user_info.py 105 8 92%
streamlit/util.py 38 1 97%
streamlit/version.py 3 0 100%
streamlit/watcher/__init__.py 3 0 100%
streamlit/watcher/event_based_path_watcher.py 184 25 86%
streamlit/watcher/folder_black_list.py 14 1 93%
streamlit/watcher/local_sources_watcher.py 127 9 93%
streamlit/watcher/path_watcher.py 42 3 93%
streamlit/watcher/polling_path_watcher.py 55 2 96%
streamlit/watcher/util.py 59 1 98%
streamlit/web/__init__.py 0 0 100%
streamlit/web/bootstrap.py 174 21 88%
streamlit/web/cache_storage_manager_config.py 5 0 100%
streamlit/web/cli.py 188 16 91%
streamlit/web/server/__init__.py 5 0 100%
streamlit/web/server/app_discovery.py 104 5 95%
streamlit/web/server/app_static_file_handler.py 29 3 90%
streamlit/web/server/authlib_tornado_integration.py 42 5 88%
streamlit/web/server/bidi_component_request_handler.py 65 8 88%
streamlit/web/server/browser_websocket_handler.py 147 20 86%
streamlit/web/server/component_file_utils.py 24 0 100%
streamlit/web/server/component_request_handler.py 55 4 93%
streamlit/web/server/media_file_handler.py 65 9 86%
streamlit/web/server/oauth_authlib_routes.py 162 35 78%
streamlit/web/server/oidc_mixin.py 46 0 100%
streamlit/web/server/routes.py 90 7 92%
streamlit/web/server/server.py 195 13 93%
streamlit/web/server/server_util.py 68 5 93%
streamlit/web/server/starlette/__init__.py 3 0 100%
streamlit/web/server/starlette/starlette_app.py 146 4 97%
streamlit/web/server/starlette/starlette_app_utils.py 101 7 93%
streamlit/web/server/starlette/starlette_a E888 uth_routes.py 233 51 78%
streamlit/web/server/starlette/starlette_gzip_middleware.py 30 0 100%
streamlit/web/server/starlette/starlette_routes.py 346 86 75%
streamlit/web/server/starlette/starlette_server.py 167 7 96%
streamlit/web/server/starlette/starlette_server_config.py 13 0 100%
streamlit/web/server/starlette/starlette_static_routes.py 64 3 95%
streamlit/web/server/starlette/starlette_websocket.py 203 23 89%
streamlit/web/server/stats_request_handler.py 59 5 92%
streamlit/web/server/upload_file_request_handler.py 59 7 88%
streamlit/web/server/websocket_headers.py 19 1 95%
TOTAL 23157 1600 93%

📊 View detailed coverage comparison

graphite-app[bot]
graphite-app bot reviewed Jan 26, 2026
View reviewed changes
lukasmasuch and others added 3 commits January 27, 2026 01:05
@lukasmasuch @graphite-app
Update lib/pyproject.toml
23806a6 
Co-authored-by: graphite-app[bot] <96075541+graphite-app[bot]@users.noreply.github.com>
@lukasmasuch
Merge remote-tracking branch 'upstream/develop' into lukasmasuch/uv-m…
0996599 
…igration-plan
@lukasmasuch
Update ty
5affe76
lukasmasuch
lukasmasuch commented Jan 27, 2026
View reviewed changes
.gitignore
.venv
Pipfile.lock
Pipfile
uv.lock
Copy link
Collaborator Author
@lukasmasuch lukasmasuch Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a future follow-up, we could consider adding the uv.lock file as well. But this might require some tweaks.

Copy link
@andreif-funnel andreif-funnel Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. 2338 Learn more.

How do you scan for dependency CVEs without including uv.lock?
Right now there is a high one for protobuf and it does not help us to look compliant.

Copy link
Collaborator Author
@lukasmasuch lukasmasuch Jan 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a Python library, CVEs on Python dependencies are primarily relevant to safeguard the build process, and we have some tools, such as Snyk, to assist us with this. At install time, it's the responsibility of the app developer to take care of using up-to-date and safe dependency versions. The range of supported versions is deliberately kept very open, which is common for Python libraries. Nevertheless, I think it would be a good practices for us to have a checked in lock file for our dev/test dependencies. Just needs a bit of refactoring.

But its very different story for frontend dependencies since these are bundled and shipped in the Streamlit distribution and need to be kept safe and up-to-date from our side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@andreif-funnel andreif-funnel andreif-funnel left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

change:refactor PR contains code refactoring without behavior change impact:internal PR changes only affect internal code security-assessment-completed Security assessment has been completed for PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lukasmasuch @andreif-funnel
0