Do not include unsafe dependencies in the compiled file unless some flag specified

[DrJackilD]

Hey guys, it's me again! 😅 uv includes some packages in the compiled file, which are considered unsafe (for example, PEP 518 specifically asking to not pin setuptools unless you know what you're doing). By default, pip-tools do not pin setuptools, pip and distibute packages (https://github.com/jazzband/pip-tools/blob/9d0a91a382748a68f86d58a9e086b46a9b7c74f7/piptools/utils.py#L11).

You could tweak this behaviour by those options:

--allow-unsafe / --no-allow-unsafe
                                  Pin packages considered unsafe: distribute,
                                  pip, setuptools.

                                  WARNING: Future versions of pip-tools will
                                  enable this behavior by default. Use --no-
                                  allow-unsafe to keep the old behavior. It is
                                  recommended to pass the --allow-unsafe now
                                  to adapt to the upcoming change.
 --unsafe-package TEXT           Specify a package to consider unsafe; may be
                                  used more than once. Replaces default unsafe
                                  packages: distribute, pip, setuptools

Probably would be good to implement something in uv, wdyt?

[hauntsaninja]

Duplicate of #1353 and #1415

Not sure how PEP 518 is relevant here, that would apply to build environments. If you have a compiled lock file for your build environment I think you'd need --no-build-isolation or similar to get it to actually work.

[DrJackilD]

Ah, didn't search before creating an issue, sorry! Closing as duplicate