2 months ago
I'm deploying a Python + React monorepo using Railpack. As a supply chain security measure, my pyproject.toml excludes PyPI packages that are less than 7 days old:
[tool.uv]
exclude-newer = "7 days"
During deployment Railpack runs uv sync --locked, and at that point exclude-newer = "7 days" gets recomputed to a different absolute timestamp than when the lockfile was generated. uv sees this as a change in resolution constraints, tries to re-resolve, and --locked rejects it:
Resolving despite existing lockfile due to addition of global exclude newer 2026-03-26T04:09:56Z
The lockfile at `uv.lock` needs to be updated, but `--locked` was provided.
There's no clean way to disable exclude-newer only at deploy time.
Question: What is the recommended way to enforce a exclude-newer policy at lockfile generation time, without it breaking uv sync --locked or uv sync --frozen during deployment on Railpack?
1 Replies
2 months ago
You can override the install command Railpack runs by setting the RAILPACK_INSTALL_COMMAND environment variable on your service, for example to uv sync --frozen, which skips resolution entirely and installs directly from the lockfile without checking exclude-newer.
Status changed to Awaiting User Response Railway • about 2 months ago
a month ago
This thread has been marked as solved automatically due to a lack of recent activity. Please re-open this thread or create a new one if you require further assistance. Thank you!
Status changed to Solved Railway • about 1 month ago