Add user warning for packages without lower bound with --resolution=lowest or lowest-direct

_typos.toml

@@ -11,6 +11,7 @@ extend-ignore-re = [
     "FrIeNdLy-\\._\\.-bArD",
     "I borken you cache",
     "eb1ba5f5",
+    "github_pat_.*"
 ]
 
 [default.extend-identifiers]

crates/uv-resolver/src/resolver/mod.rs

@@ -32,6 +32,7 @@ use uv_distribution::{ArchiveMetadata, DistributionDatabase};
 use uv_git::GitResolver;
 use uv_normalize::{ExtraName, PackageName};
 use uv_types::{BuildContext, HashStrategy, InstalledPackagesProvider};
+use uv_warnings::warn_user_once;
 
 use crate::candidate_selector::{CandidateDist, CandidateSelector};
 use crate::dependency_provider::UvDependencyProvider;
@@ -45,6 +46,7 @@ use crate::pubgrub::{
 };
 use crate::python_requirement::PythonRequirement;
 use crate::resolution::ResolutionGraph;
+use crate::resolution_mode::ResolutionStrategy;
 pub(crate) use crate::resolver::availability::{
     IncompletePackage, ResolverVersion, UnavailablePackage, UnavailableReason, UnavailableVersion,
 };
@@ -848,7 +850,13 @@ impl<InstalledPackages: InstalledPackagesProvider> ResolverState<InstalledPackag
     ) -> Result<Vec<Dependencies>, ResolveError> {
         type Dep = (PubGrubPackage, Range<Version>);
 
-        let result = self.get_dependencies(package, version, priorities, request_sink);
+        let result = self.get_dependencies(
+            package,
+            version,
+            priorities,
+            request_sink,
+            self.selector.resolution_strategy(),
+        );
         if self.markers.is_some() {
             return result.map(|deps| vec![deps]);
         }
@@ -906,6 +914,7 @@ impl<InstalledPackages: InstalledPackagesProvider> ResolverState<InstalledPackag
         version: &Version,
         priorities: &mut PubGrubPriorities,
         request_sink: &Sender<Request>,
+        resolution_strategy: &ResolutionStrategy,
     ) -> Result<Dependencies, ResolveError> {
         match &**package {
             PubGrubPackageInner::Root(_) => {
@@ -934,6 +943,14 @@ impl<InstalledPackages: InstalledPackagesProvider> ResolverState<InstalledPackag
                 for (package, version) in dependencies.iter() {
                     debug!("Adding direct dependency: {package}{version}");
 
+                    // Warn the user if the direct dependency is not pinned.
+                    if matches!(
+                        resolution_strategy,
+                        ResolutionStrategy::Lowest | ResolutionStrategy::LowestDirect(..)
+                    ) && *version == (Range::full())
+                    {
+                        warn_user_once!("The direct dependency `{package}` is unpinned. Consider setting a lower bound.");
+                    }
                     // Update the package priorities.
                     priorities.insert(package, version);
 
@@ -1069,6 +1086,14 @@ impl<InstalledPackages: InstalledPackagesProvider> ResolverState<InstalledPackag
                 for (dep_package, dep_version) in dependencies.iter() {
                     debug!("Adding transitive dependency for {package}=={version}: {dep_package}{dep_version}");
 
+                    // Warn the user if the transitive dependency is not pinned.
+                    if matches!(
+                        resolution_strategy,
+                        ResolutionStrategy::Lowest | ResolutionStrategy::LowestDirect(..)
+                    ) && *dep_version == (Range::full())
+                    {
+                        warn_user_once!("The transitive dependency `{dep_package}` is unpinned. Consider setting a lower bound.");
+                    }
                     // Update the package priorities.
                     priorities.insert(dep_package, dep_version);
 
@@ -1569,7 +1594,7 @@ impl<'a> From<ResolvedDistRef<'a>> for Request {
         // N.B. This is almost identical to `ResolvedDistRef::to_owned`, but
         // creates a `Request` instead of a `ResolvedDist`. There's probably
         // some room for DRYing this up a bit. The obvious way would be to
-        // add a method to create a `Dist`, but a `Dist` cannot reprented an
+        // add a method to create a `Dist`, but a `Dist` cannot represented an
         // installed dist.
         match dist {
             ResolvedDistRef::InstallableRegistrySourceDist { sdist, prioritized } => {

crates/uv/tests/pip_compile.rs

@@ -1039,6 +1039,7 @@ fn compile_sdist_resolution_lowest() -> Result<()> {
         # via anyio
 
     ----- stderr -----
+    warning: The direct dependency `anyio` is unpinned. Consider setting a lower bound.
     Resolved 3 packages in [TIME]
     "###
     );
@@ -6597,6 +6598,8 @@ fn editable_direct_dependency() -> Result<()> {
         # via setuptools-editable
 
     ----- stderr -----
+    warning: The direct dependency `setuptools-editable` is unpinned. Consider setting a lower bound.
+    warning: The transitive dependency `iniconfig` is unpinned. Consider setting a lower bound.
     Resolved 2 packages in [TIME]
     "###);
 
@@ -6944,6 +6947,8 @@ dev = ["setuptools"]
         # via example
 
     ----- stderr -----
+    warning: The direct dependency `example` is unpinned. Consider setting a lower bound.
+    warning: The transitive dependency `setuptools` is unpinned. Consider setting a lower bound.
     Resolved 4 packages in [TIME]
     "###
     );
@@ -8536,6 +8541,7 @@ fn compile_index_url_unsafe_lowest() -> Result<()> {
         # via -r requirements.in
 
     ----- stderr -----
+    warning: The direct dependency `anyio` is unpinned. Consider setting a lower bound.
     Resolved 1 package in [TIME]
     "###
     );

crates/uv/tests/pip_install.rs

@@ -2382,6 +2382,7 @@ fn install_sdist_resolution_lowest() -> Result<()> {
     ----- stdout -----
 
     ----- stderr -----
+    warning: The direct dependency `anyio` is unpinned. Consider setting a lower bound.
     Resolved 3 packages in [TIME]
     Downloaded 3 packages in [TIME]
     Installed 3 packages in [TIME]