feat(pep621): use exclude-newer during uv lock when minimumReleaseAge is set

[thejoeejoee]

Changes

When minimumReleaseAge is configured, Renovate now passes UV_EXCLUDE_NEWER as an environment variable to uv lock.

Additionally, if pyproject.toml already defines [tool.uv] exclude-newer, Renovate compares it with its own computed date and uses the more restrictive (older) one. This prevents Renovate from accidentally widening the package resolution window beyond what the project intended.

📖 Related: uv documents recommended exclude-newer usage for dependency bots in their integration guide.

Key changes:

• lib/modules/manager/types.ts — added minimumReleaseAge to UpdateArtifactsConfig
• lib/modules/manager/pep621/schema.ts — added exclude-newer to UvConfig Zod schema (handles both TOML string and Date types)
• lib/modules/manager/pep621/processors/uv.ts — UV_EXCLUDE_NEWER env var with min(renovate_date, pyproject_date) logic
• lib/modules/manager/pep621/processors/uv.spec.ts — 28 tests covering env var usage, min-date comparison, invalid values, and edge cases

Context

• This closes an existing Issue, Closes: Pass --exclude-newer to uv #41654

AI assistance disclosure

• Yes — substantive assistance (AI-generated non‑trivial portions of code, tests, or documentation).

opencode (Claude Opus 4.6 / Sonnet 4.6) used for test writing, and code review iteration

Documentation (please check one with an [x])

• I have updated the documentation

How I've tested my work (please select one)

• Newly added/modified unit tests

[RahulGautamSingh]

Please, use the PR template

[Churro]

I think this could benefit from some refinement:

• With uv, --exclude-newer can also be defined in pyproject.toml or uv.toml (see here). A CLI value always takes precedence but this creates a problem if the pyproject.toml setting is not the same value as minimumReleaseAge:
  • If it is more restrictive (older date), a less restrictive renovate minimumReleaseAge would override it and potentially allow packages the user explicitly wanted to exclude.
  • If it is less restrictive (newer date or absent), renovate correctly tightens the constraint.
  • Suggestion: Read exclude-newer from pyproject.toml and, if present, use the more restrictive (older) date of the two, i.e., min(renovate_minimum_release_age, pyproject_exclude_newer_date).
• Using UV_EXCLUDE_NEWER instead of --exclude-newer would be more consistent with the existing code style (UV_EXTRA_URL, UV_INDEX_* patterns).
• --exclude-newer works only since uv 0.2.22. Unlikely that someone still uses such old versions but, strictly speaking, it would be necessary to check if a uv constraint is set and if < 0.2.22 to omit this setting. The elegance of the approach via UV_EXCLUDE_NEWER env var is that incompatible uv versions would simply ignore the setting.
• Might also be worth a hint in renovate docs, considering that uv also explicitly exemplifies using this combination: https://docs.astral.sh/uv/guides/integration/dependency-bots/#dependency-cooldown

[thejoeejoee]

Thanks, all four points are addressed in the later commits — min() of both dates, UV_EXCLUDE_NEWER env var (so old uv versions just ignore it), and a docs note linking the uv dependency guide.