Dependency Audit: Critical UV Migration and Modernization Required #380
Description
Dependency Audit Report
Executive Summary
This repository currently uses pip/venv for dependency management with dual configuration files (requirements.txt, requirements-dev.txt, and pyproject.toml). According to project standards defined in CLAUDE.md, UV should be the exclusive package manager (ALWAYS use UV - never pip, venv, or requirements.txt).
Status: ❌ NOT UV COMPLIANT
Critical Findings
1. ❌ Non-UV Package Management
Severity: HIGH
Impact: Violates project standards, slower installs, inconsistent environments
Current State:
- Using
pipfor dependency installation - Using
venvfor virtual environment creation - Dependency definitions in
requirements.txtandrequirements-dev.txt pyproject.tomlexists but not configured for UV
Evidence:
run-server.sh:969-976: Usespip install -r requirements.txtcode_quality_checks.sh:45: Usespip install -r requirements-dev.txtrun-server.sh:565-657: UV is optional fallback, not primary
Required Actions:
- Migrate all dependency management to UV exclusively
- Convert
requirements.txt→pyproject.tomldependencies - Convert
requirements-dev.txt→pyproject.tomldev dependencies - Update all scripts to use
uv syncinstead ofpip install - Remove legacy
requirements*.txtfiles after migration
2. ⚠️ Missing Dependency Lock File
Severity: MEDIUM
Impact: Unreproducible builds, potential version conflicts
Current State:
- No
uv.lockfile present - Dependencies use minimum version constraints (
>=) - No guarantee of reproducible installations across environments
Dependencies with minimum constraints:
mcp>=1.0.0
google-genai>=1.19.0
openai>=1.55.2
pydantic>=2.0.0
python-dotenv>=1.0.0
Required Actions:
- Initialize UV:
uv init - Generate lock file:
uv lock - Commit
uv.lockto version control - Update CI/CD to use
uv sync --frozenfor reproducible builds
3. ⚠️ Dual Configuration Maintenance Burden
Severity: MEDIUM
Impact: Configuration drift, maintenance overhead, potential inconsistencies
Current State:
- Dependencies defined in 3 places:
requirements.txt(6 runtime deps)requirements-dev.txt(8 dev deps)pyproject.toml(5 deps, missing dev deps)
Inconsistencies Found:
pyproject.tomlmissingimportlib-resources(present in requirements.txt)- Dev dependencies only in
requirements-dev.txt, not inpyproject.toml
Required Actions:
- Consolidate all dependencies into
pyproject.toml - Use
[project.dependencies]for runtime deps - Use
[project.optional-dependencies]for dev deps - Remove
requirements*.txtfiles - Update documentation to reference
pyproject.tomlonly
4. ⚠️ Build System Configuration Issues
Severity: MEDIUM
Impact: Potential build failures, outdated build tools
Current State:
[build-system]
requires = ["setuptools>=45", "wheel", "setuptools_scm[toml]>=6.2"]
build-backend = "setuptools.build_meta"Issues:
- Using
setuptools>=45(released 2019) - current is 75+ wheelshould be implicit, not explicitsetuptools_scmconfigured but no version source defined in[tool.setuptools_scm]
Required Actions:
- Update to modern build system:
[build-system] requires = ["setuptools>=75.0.0", "setuptools_scm>=8.0.0"] build-backend = "setuptools.build_meta"
- Configure
setuptools_scmproperly or remove if unused - Consider migrating to
hatchlingfor better UV integration
5. ✅ Positive Findings
What's Working Well:
- ✅ Pinned minimum versions for critical dependencies (openai>=1.55.2 for httpx compatibility)
- ✅
pyproject.tomlstructure is modern and well-organized - ✅ Using Python 3.9+ (good minimum version)
- ✅ Dev tools properly separated (black, ruff, isort, pytest)
- ✅
run-server.shhas UV detection logic (lines 569-627)
Dependency Staleness Analysis
Runtime Dependencies
| Package | Current Min | Latest Stable | Status |
|---|---|---|---|
| mcp | >=1.0.0 | ~1.x | ✅ OK (using latest) |
| google-genai | >=1.19.0 | 2.0.0+ | |
| openai | >=1.55.2 | 1.60+ | |
| pydantic | >=2.0.0 | 2.10+ | ✅ OK (v2 modern) |
| python-dotenv | >=1.0.0 | 1.0.1 | ✅ OK |
Dev Dependencies
| Package | Current Min | Latest Stable | Status |
|---|---|---|---|
| pytest | >=7.4.0 | 8.3.4 | |
| pytest-asyncio | >=0.21.0 | 0.24.0 | |
| black | >=23.0.0 | 24.10.0 | |
| ruff | >=0.1.0 | 0.8+ | |
| isort | >=5.12.0 | 5.13.2 | ✅ OK |
UV Migration Roadmap
Phase 1: Immediate (Week 1)
- ✅ Install UV globally:
curl -LsSf https://astral.sh/uv/install.sh | sh - ✅ Initialize UV in project:
uv init - ✅ Migrate dependencies to
pyproject.toml:uv add mcp google-genai "openai>=1.55.2" "pydantic>=2.0.0" python-dotenv uv add --dev pytest pytest-asyncio pytest-mock black ruff isort python-semantic-release build
- ✅ Generate lock file:
uv lock - ✅ Test installation:
uv sync
Phase 2: Script Migration (Week 1-2)
- Update
run-server.sh:- Replace
python -m venv→uv venv - Replace
pip install -r requirements.txt→uv sync - Remove UV as optional, make it required
- Replace
- Update
code_quality_checks.sh:- Replace
pip install -r requirements-dev.txt→uv sync --all-extras
- Replace
- Update
run_integration_tests.sh:- Use
uv run pytestinstead of direct pytest calls
- Use
Phase 3: Cleanup (Week 2)
- Remove
requirements.txt - Remove
requirements-dev.txt - Update
CLAUDE.mddocumentation to reflect UV-only workflow - Update CI/CD workflows to use UV
- Add
uv.lockto version control
Phase 4: Validation (Week 2-3)
- Test clean installs on multiple platforms
- Verify CI/CD pipelines work with UV
- Update contributor documentation
- Close this issue with verification report
Recommended pyproject.toml Structure
[project]
name = "zen-mcp-server"
version = "1.0.0"
description = "AI-powered MCP server with multiple model providers"
requires-python = ">=3.9"
dependencies = [
"mcp>=1.0.0",
"google-genai>=1.19.0",
"openai>=1.55.2",
"pydantic>=2.0.0",
"python-dotenv>=1.0.0",
]
[project.optional-dependencies]
dev = [
"pytest>=7.4.0",
"pytest-asyncio>=0.21.0",
"pytest-mock>=3.11.0",
"black>=23.0.0",
"ruff>=0.1.0",
"isort>=5.12.0",
]
release = [
"python-semantic-release>=10.3.0",
"build>=1.0.0",
]
[build-system]
requires = ["setuptools>=75.0.0", "setuptools_scm>=8.0.0"]
build-backend = "setuptools.build_meta"
# Keep existing tool configurations (black, isort, ruff, etc.)Security Considerations
Dependency Scanning
Recommendation: Add uv pip audit to CI/CD pipeline to check for known vulnerabilities.
Current Risk: Without lock file, could accidentally install vulnerable versions.
Example CI/CD Integration
- name: Security Audit
run: |
uv pip audit
uv sync --frozen # Ensures exact versions from lock fileMigration Commands Quick Reference
# 1. Install UV
curl -LsSf https://astral.sh/uv/install.sh | sh
# 2. Initialize and migrate
uv init
uv add mcp google-genai "openai>=1.55.2" pydantic python-dotenv
uv add --dev pytest pytest-asyncio pytest-mock black ruff isort python-semantic-release build
# 3. Generate lock file
uv lock
# 4. Install dependencies
uv sync
# 5. Run commands with UV
uv run python server.py
uv run pytest
uv run black .
# 6. Clean up legacy files
rm requirements.txt requirements-dev.txt
git add pyproject.toml uv.lock
git commit -m "Migrate to UV for dependency management"References
- Project Standards:
CLAUDE.md("ALWAYS use UV - never pip, venv, or requirements.txt") - UV Documentation: https://docs.astral.sh/uv/
- UV Migration Guide: https://docs.astral.sh/uv/guides/migration/
- Current Requirements:
requirements.txt,requirements-dev.txt - Script Analysis:
run-server.sh,code_quality_checks.sh
Action Items
- Install UV globally on development machines
- Run
uv initto initialize UV in project - Migrate dependencies from requirements.txt → pyproject.toml
- Generate and commit
uv.lockfile - Update
run-server.shto use UV exclusively - Update
code_quality_checks.shto use UV - Update
run_integration_tests.shto use UV - Remove
requirements.txtandrequirements-dev.txt - Update documentation to reflect UV-only workflow
- Test clean installation on fresh environment
- Update CI/CD pipelines to use UV
- Add
uv pip auditto security checks
Priority: HIGH
Effort: Medium (2-3 weeks for full migration)
Risk: Low (UV is backward compatible, can run in parallel initially)
Next Steps: Assign to development team for sprint planning and begin Phase 1 migration.