RHAIENG-2509: chore(uv): implement the dependency groups from the original POC

[jiridanek]

https://issues.redhat.com/browse/RHAIENG-2509

Description

We did not use dependency groups because that lead to huge (30+MB) uv.lock.

• Feature uv #2113

We can't use subprojects because everything in a subproject has to resolve together, no conflicts are allowed.

We can't have suprojects depending on other subprojects because there is an open issue

• Transitive PROJECT_ROOT is expanded in requirements.txt astral-sh/uv#3750

We may be able to deal with it using --no-emit-package because we don't actually install anything from the subproject, we only use them as dependency containers.

It is possible to install selected optional dependencies from subprojects, but these are distinct from dependency groups. Defining both gets messy.

How Has This Been Tested?

Successfully extracted common dependency groups into subprojects and configured the build system to exclude them from lock files.

Changes Made

1. Created 6 Dependency Subprojects (in dependencies/ directory)

• base-deps: Core packages (wheel, setuptools, pip)
• jupyterlab-deps: JupyterLab and core extensions
• jupyterlab-datascience-deps: Extended JupyterLab packages (codeflare-sdk, kfp, feast, kubeflow-training)
• datascience-deps: ML/DS packages (boto3, numpy, pandas, scikit-learn, etc.)
• db-connectors-deps: Database connectors (pymongo, psycopg, pyodbc, mysql)
• elyra-runtime-deps: Elyra execution dependencies (ipykernel, papermill, minio, etc.)

All subprojects use package = false to indicate they are dependency-only packages.

2. Updated All Project pyproject.toml Files

Updated 18 project files across codeserver/, jupyter/, and runtimes/ to reference the subprojects using [tool.uv.sources] with relative paths.

Special handling for version conflicts:

• jupyter/trustyai: Uses override-dependencies for numpy~=1.26.4, pandas~=1.5.3, jupyter-bokeh~=3.0.5
• jupyter/rocm/tensorflow: Uses override-dependencies for numpy~=1.26.4

3. Modified Lock File Generator

Updated scripts/pylocks_generator.sh to add --no-emit-package flags for all 6 subprojects, ensuring they are excluded from pylock.toml files while their dependencies are properly expanded.

4. Regenerated All Lock Files

All 18 pylock.toml files successfully regenerated with:

• ✅ Subproject dependencies properly expanded inline
• ✅ No path-based dependency entries in lock files
• ✅ Self-contained lock files that don't require dependencies/ directory in Docker build context

Benefits

• DRY principle: Common dependencies defined once in subprojects
• Maintainability: Easy to update shared dependencies across all workbenches
• Docker-friendly: Lock files remain self-contained without requiring additional files in build context
• Consistency: All workbenches use the same versions of common packages

Self checklist (all need to be checked):

• Ensure that you have run make test (gmake on macOS) before asking for review
• Changes to everything except Dockerfile.konflux files should be done in odh/notebooks and automatically synced to rhds/notebooks. For Konflux-specific changes, modify Dockerfile.konflux files directly in rhds/notebooks as these require special attention in the downstream repository and flow to the upcoming RHOAI release.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Bug Fixes

  • Updated package versions for improved compatibility and performance

• Chores

  • Reorganized project dependencies into modular subprojects to improve maintainability
  • Updated lock files and build configuration to reflect new dependency structure
  • Enhanced test infrastructure to support modularized dependency management

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign atheo89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This change refactors Python dependency management from monolithic inline lists into modular, path-based subprojects. New dependency packages (base, datascience, db-connectors, elyra-runtime, jupyterlab, jupyterlab-datascience) are created under a shared dependencies/ directory. Existing pyproject.toml files across multiple notebook environments are updated to reference these subprojects via [tool.uv.sources] and [tool.uv] override configurations. Lock file headers and build scripts are updated to exclude subproject meta-packages from emission.

Changes

Cohort / File(s)	Summary
New dependency subproject manifests dependencies/base/pyproject.toml, dependencies/datascience/pyproject.toml, dependencies/db-connectors/pyproject.toml, dependencies/elyra-runtime/pyproject.toml, dependencies/jupyterlab/pyproject.toml, dependencies/jupyterlab-datascience/pyproject.toml	Created new Python project configurations defining modular dependency sets for base packages, data science, database connectors, Elyra runtime, JupyterLab core, and JupyterLab data science tools. Each specifies Python 3.12, targeted Linux/CPython environments, and package = false in tool.uv configuration.
Codeserver pyproject and lock file refactoring codeserver/ubi9-python-3.12/pyproject.toml, codeserver/ubi9-python-3.12/pylock.toml	Replaced explicit dependency list with five subproject dependencies (notebooks-base-deps, notebooks-jupyterlab-deps, notebooks-jupyterlab-datascience-deps, notebooks-datascience-deps, notebooks-db-connectors-deps) and added [tool.uv.sources] mappings. Updated pylock.toml header with --no-emit-package flags for subprojects.
Jupyter environment pyproject refactoring jupyter/datascience/ubi9-python-3.12/pyproject.toml, jupyter/minimal/ubi9-python-3.12/pyproject.toml, jupyter/pytorch/ubi9-python-3.12/pyproject.toml, jupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml, jupyter/rocm/pytorch/ubi9-python-3.12/pyproject.toml, jupyter/rocm/tensorflow/ubi9-python-3.12/pyproject.toml, jupyter/tensorflow/ubi9-python-3.12/pyproject.toml, jupyter/trustyai/ubi9-python-3.12/pyproject.toml	Replaced explicit dependencies (boto3, kafka-python-ng, matplotlib, numpy, pandas, plotly, scikit-learn, scipy, skl2onnx, jupyter packages, wheel, setuptools, and others) with modular subproject references and added [tool.uv.sources] path mappings. ROCm TensorFlow variant adds keras~=3.12.0 and numpy~=1.26.4 overrides.
Jupyter lock file header updates jupyter/minimal/ubi9-python-3.12/pylock.toml, jupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml	Extended autogenerated uv command comments with multiple --no-emit-package flags to exclude notebooks-related dependency subprojects from lock file emission.
Runtimes environment refactoring runtimes/datascience/ubi9-python-3.12/pyproject.toml, runtimes/minimal/ubi9-python-3.12/pyproject.toml, runtimes/pytorch/ubi9-python-3.12/pyproject.toml, runtimes/tensorflow/ubi9-python-3.12/pyproject.toml	Consolidated explicit dependencies into four to five subproject dependencies (notebooks-base-deps, notebooks-elyra-runtime-deps, notebooks-datascience-deps, notebooks-db-connectors-deps) with corresponding [tool.uv.sources] path definitions.
Runtimes lock file header updates runtimes/minimal/ubi9-python-3.12/pylock.toml, runtimes/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml, runtimes/rocm-pytorch/ubi9-python-3.12/pylock.toml, runtimes/rocm-tensorflow/ubi9-python-3.12/pylock.toml	Extended autogenerated uv pip compile commands with --no-emit-package flags for notebooks subprojects and (in rocm-tensorflow variant) additional core dependencies.
Build and test infrastructure updates scripts/pylocks_generator.sh, tests/test_main.py	Added --no-emit-package flags to uv pip compile invocation in lock generation script. Introduced is_subproject_metapackage() helper function and updated test logic to skip/validate subproject meta-packages. Updated numpy version expectations from 2.1 to 2.3.
RStudio lock file header updates rstudio/c9s-python-3.12/pylock.toml, rstudio/rhel9-python-3.12/pylock.toml	Extended autogenerated command comments with --no-emit-package flags for notebooks dependency subprojects.
Manifest metadata update manifests/base/jupyter-tensorflow-notebook-imagestream.yaml	Bumped numpy dependency version from 2.1 to 2.3 in opendatahub.io/notebook-python-dependencies section (two occurrences).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Scope and heterogeneity: This is a large-scale refactoring affecting 30+ files across multiple directory structures (codeserver, jupyter, runtimes, rstudio, dependencies, manifests, scripts, tests). While individual changes follow a consistent pattern (dependency consolidation + path mappings), the breadth and number of affected files demand comprehensive validation.
• Key review areas requiring attention:
  • Dependency mapping integrity: Verify that all dependencies moved into subprojects are correctly referenced and that no dependencies are lost or duplicated across the new modular structure.
  • Path resolution correctness: Validate that [tool.uv.sources] path mappings use correct relative paths for each variant (varying depths: ../../../, ../../../..// etc.) and point to the appropriate subproject.
  • Lock file consistency: Confirm that --no-emit-package flags in pylock.toml headers match the actual subproject dependencies being used and don't inadvertently exclude required packages.
  • Version compatibility: Verify override-dependencies in ROCm and TensorFlow variants (keras, numpy, protobuf) are compatible with their respective ML frameworks.
  • Test coverage: Review the new is_subproject_metapackage() logic and test exclusion patterns to ensure they correctly identify and handle all subproject meta-packages.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: implementing dependency groups from a POC using subprojects, which is the core objective of this PR.
Description check	✅ Passed	The description is comprehensive and covers the motivation, approach, key changes, and testing claims. However, the self-checklist items and merge criteria are unchecked, indicating the PR is incomplete.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jiridanek]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (7)

dependencies/db-connectors/pyproject.toml (1)

4-4: Consider whether strict Python version pinning is necessary.

The ==3.12.* constraint restricts this subproject to Python 3.12.x only. While this aligns with the directory naming convention, it prevents usage with future Python versions (e.g., 3.13+). If these dependencies are compatible with newer Python versions, consider using >=3.12,<3.14 or similar for better forward compatibility.

dependencies/jupyterlab-datascience/pyproject.toml (1)

4-4: Consider whether strict Python version pinning is necessary.

The ==3.12.* constraint restricts this subproject to Python 3.12.x only. If these JupyterLab dependencies support newer Python versions, consider using a more flexible constraint like >=3.12,<3.14 for better forward compatibility.

dependencies/elyra-runtime/pyproject.toml (1)

4-4: Consider whether strict Python version pinning is necessary.

The ==3.12.* constraint restricts this subproject to Python 3.12.x only. If these Elyra runtime dependencies support newer Python versions, consider using >=3.12,<3.14 for better forward compatibility.

dependencies/datascience/pyproject.toml (1)

20-20: Consider using compatible release specifier for kubeflow-training.

kubeflow-training==1.9.3 uses an exact pin (==) while all other dependencies use compatible release specifiers (~=). If there's no specific reason for the exact pin, consider using ~=1.9.3 to allow patch version updates.

🔎 Proposed change if exact pin is not required

-    "kubeflow-training==1.9.3",
+    "kubeflow-training~=1.9.3",

jupyter/minimal/ubi9-python-3.12/pylock.toml (1)

2-2: Clarify mapping between --no-emit-package flags and the footer exclusion list

The header command passes --no-emit-package for six meta‑packages, but the footer note lists only notebooks-base-deps and notebooks-jupyterlab-deps as “excluded from the output.” That mismatch can be confusing for someone trying to understand which subproject packages are being suppressed in this lock.

Consider either:

• listing all subproject meta‑packages that are passed via --no-emit-package, or
• adjusting the wording to explain that only the meta‑packages actually pulled into the resolution (here: base + jupyterlab) ended up being excluded.

This keeps the header and explanatory comment in sync for future maintainers.

Also applies to: 2077-2080

runtimes/minimal/ubi9-python-3.12/pylock.toml (1)

1894-1897: Clarify which dependency meta-packages are excluded in this lock file

The footer documents only notebooks-base-deps and notebooks-elyra-runtime-deps as excluded, while the header command includes six --no-emit-package entries. If this list is intended to show “packages that would otherwise appear in this lock for this runtime,” consider rephrasing the comment to make that explicit, or alternatively list all six subproject meta-packages for consistency across lock files.

codeserver/ubi9-python-3.12/pyproject.toml (1)

7-21: Subproject configuration looks correct; minor formatting inconsistency.

The subproject dependencies and [tool.uv.sources] section are correctly configured. The relative paths (../../dependencies/...) properly navigate from codeserver/ubi9-python-3.12/ to the repository root.

One minor nit: Line 10 introduces a blank line within the dependencies list. Other files in this PR (e.g., runtimes/tensorflow/ubi9-python-3.12/pyproject.toml) don't have this extra blank line between subproject dependencies and additional packages. Consider removing it for consistency.

🔎 Optional formatting fix

 dependencies = [
     # Subproject dependencies
     "notebooks-base-deps",
     "notebooks-datascience-deps",
-    
+
     # Additional useful packages
     "opencensus~=0.11.4",

Or remove the blank line entirely if no visual separation is preferred.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 79b82c0 and 637a7d3.

📒 Files selected for processing (39)

• codeserver/ubi9-python-3.12/pylock.toml
• codeserver/ubi9-python-3.12/pyproject.toml
• dependencies/base/pyproject.toml
• dependencies/datascience/pyproject.toml
• dependencies/db-connectors/pyproject.toml
• dependencies/elyra-runtime/pyproject.toml
• dependencies/jupyterlab-datascience/pyproject.toml
• dependencies/jupyterlab/pyproject.toml
• jupyter/datascience/ubi9-python-3.12/pylock.toml
• jupyter/datascience/ubi9-python-3.12/pyproject.toml
• jupyter/minimal/ubi9-python-3.12/pylock.toml
• jupyter/minimal/ubi9-python-3.12/pyproject.toml
• jupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml
• jupyter/pytorch/ubi9-python-3.12/pylock.toml
• jupyter/pytorch/ubi9-python-3.12/pyproject.toml
• jupyter/rocm/pytorch/ubi9-python-3.12/pylock.toml
• jupyter/rocm/pytorch/ubi9-python-3.12/pyproject.toml
• jupyter/rocm/tensorflow/ubi9-python-3.12/pylock.toml
• jupyter/rocm/tensorflow/ubi9-python-3.12/pyproject.toml
• jupyter/tensorflow/ubi9-python-3.12/pylock.toml
• jupyter/tensorflow/ubi9-python-3.12/pyproject.toml
• jupyter/trustyai/ubi9-python-3.12/pylock.toml
• jupyter/trustyai/ubi9-python-3.12/pyproject.toml
• manifests/base/jupyter-tensorflow-notebook-imagestream.yaml
• rstudio/c9s-python-3.12/pylock.toml
• rstudio/rhel9-python-3.12/pylock.toml
• runtimes/datascience/ubi9-python-3.12/pylock.toml
• runtimes/datascience/ubi9-python-3.12/pyproject.toml
• runtimes/minimal/ubi9-python-3.12/pylock.toml
• runtimes/minimal/ubi9-python-3.12/pyproject.toml
• runtimes/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml
• runtimes/pytorch/ubi9-python-3.12/pylock.toml
• runtimes/pytorch/ubi9-python-3.12/pyproject.toml
• runtimes/rocm-pytorch/ubi9-python-3.12/pylock.toml
• runtimes/rocm-tensorflow/ubi9-python-3.12/pylock.toml
• runtimes/tensorflow/ubi9-python-3.12/pylock.toml
• runtimes/tensorflow/ubi9-python-3.12/pyproject.toml
• scripts/pylocks_generator.sh
• tests/test_main.py

🧰 Additional context used

🪛 GitHub Actions: Validation of software versions referenced in ImageStream manifests

manifests/base/jupyter-tensorflow-notebook-imagestream.yaml

[error] 1-1: TensorFlow-ROCm version check failed. Expected '2.18', found 'None'.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build (runtime-datascience-ubi9-python-3.12, 3.12, linux/s390x, false) / build
• GitHub Check: build (jupyter-datascience-ubi9-python-3.12, 3.12, linux/ppc64le, false) / build

🔇 Additional comments (43)

rstudio/c9s-python-3.12/pylock.toml (1)

2-2: LGTM! Auto-generated lock file reflects new subproject exclusions.

The updated generation command correctly excludes all six subproject meta-packages (notebooks-base-deps, notebooks-jupyterlab-deps, notebooks-jupyterlab-datascience-deps, notebooks-datascience-deps, notebooks-db-connectors-deps, notebooks-elyra-runtime-deps) from emission, which aligns with the PR's approach to inline dependency trees while excluding the wrapper packages.

rstudio/rhel9-python-3.12/pylock.toml (1)

2-2: LGTM! Consistent with the c9s variant.

The generation command is correctly updated to exclude the six subproject meta-packages, maintaining consistency across different platform variants.

scripts/pylocks_generator.sh (1)

196-201: LGTM! Subproject exclusion flags correctly implemented.

The six --no-emit-package flags ensure that subproject meta-packages are excluded from generated lock files while their dependency trees are expanded inline. This approach allows centralized dependency management without requiring subprojects to be packaged or present in build contexts.

dependencies/jupyterlab-datascience/pyproject.toml (2)

8-8: Verify the rationale for exact version pinning of odh-elyra.

The odh-elyra==4.3.2 dependency uses exact pinning (==) while other dependencies use compatible release (~=). If this exact version is required for compatibility or stability reasons, consider adding a comment explaining why. Otherwise, using ~=4.3.2 would allow patch-level updates.

---

8-18: Verify and update JupyterLab package versions for Python 3.12 compatibility and security.

The specified versions are generally compatible with Python 3.12 and have no known critical vulnerabilities. However, consider updating to more recent releases: jupyterlab-lsp to 5.2.0 or later, kfp to 2.14.6+ or 2.15.x, and validating codeflare-sdk compatibility for your Python 3.12 environment. Use compatible release specifiers (~=) where applicable to automatically receive security patches.

dependencies/db-connectors/pyproject.toml (1)

8-11: Database connector versions are valid and Python 3.12 compatible.

The specified versions (pymongo~=4.15.3, psycopg~=3.2.10, pyodbc~=5.2.0, mysql-connector-python~=9.4.0) all exist on PyPI, support Python 3.12, and have no known critical security vulnerabilities.

runtimes/rocm-pytorch/ubi9-python-3.12/pylock.toml (1)

1-2: Header correctly documents the lock file generation command.

The autogenerated header accurately reflects the uv pip compile command with all six subproject --no-emit-package flags (notebooks-base-deps, notebooks-jupyterlab-deps, notebooks-jupyterlab-datascience-deps, notebooks-datascience-deps, notebooks-db-connectors-deps, notebooks-elyra-runtime-deps). The command syntax is correct and aligns with the PR's intent to exclude subproject meta-packages while expanding their dependency trees inline.

Please verify that the full lock file content (lines beyond the header) contains only expanded dependencies with no path-based references to the subprojects, confirming the --no-emit-package flags are working as intended.

dependencies/jupyterlab/pyproject.toml (4)

1-4: LGTM! Strict Python version is appropriate for centralized dependency management.

The exact pin requires-python = "==3.12.*" ensures consistency across all consuming projects in this deployment environment. This strict constraint is appropriate for controlled notebook deployments where version uniformity is critical.

---

22-23: LGTM! Configuration aligns with dependency-only subproject design.

The package = false setting correctly implements the dependency-group subproject pattern described in the PR objectives. This ensures the meta-package is excluded from lock files while its dependency tree is expanded inline.

---

25-27: LGTM! Environment restrictions are appropriate.

The environment constraint to Linux + CPython is appropriate for containerized notebook server deployments, which is the target use case for this dependency subproject.

---

6-20: Dependency versions are generally acceptable; consider updating jupyterlab to the latest stable release.

The latest jupyterlab version released December 15, 2025 is 4.5.1, while the pinned version 4.4.9 is still within a supported release line. The jupyterlab-git package was scanned for known vulnerabilities with no issues found, and version 0.51.2 includes a fix for an earlier command injection vulnerability. The jupyter-server Windows vulnerability is fixed in 2.14.1, so version 2.17.0 is secure. The jupyter-server-proxy version 4.4.0 is safe—reflected XSS patches are included in versions 4.2.0 and 3.2.4.

Consider updating jupyterlab to 4.5.1 to benefit from the latest features and improvements, though 4.4.9 remains functional. The odh-jupyter-trash-cleanup package could not be verified through public package registries.

jupyter/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml (1)

1-2: LGTM! Lock file generation command correctly updated.

The updated command header correctly documents the inclusion of --no-emit-package flags for all six subproject dependencies (notebooks-base-deps, notebooks-jupyterlab-deps, notebooks-jupyterlab-datascience-deps, notebooks-datascience-deps, notebooks-db-connectors-deps, notebooks-elyra-runtime-deps). This aligns with the PR objective to exclude subproject meta-packages from pylock.toml files while expanding their dependency trees inline. Consistency across all 18 regenerated pylock.toml files is guaranteed by the hardcoded flags in scripts/pylocks_generator.sh.

jupyter/rocm/pytorch/ubi9-python-3.12/pyproject.toml (1)

13-29: LGTM! Subproject dependency integration is well-structured.

The refactoring from explicit dependencies to modular subprojects is correctly implemented. The relative paths (four levels up from jupyter/rocm/pytorch/ubi9-python-3.12/) correctly resolve to dependencies/{base,jupyterlab,jupyterlab-datascience,datascience,db-connectors}, and the subproject naming convention is consistent.

jupyter/rocm/tensorflow/ubi9-python-3.12/pyproject.toml (2)

16-29: LGTM! Subproject integration is correctly implemented.

The subproject dependencies and path mappings are consistent with the broader refactoring effort. The relative paths correctly resolve to the dependencies/ directory.

---

36-38: numpy override is working correctly; verify keras requirement necessity.

The numpy~=1.26.4 override is functioning as intended. The lock file resolves numpy to 1.26.4 (not 2.3.4 from notebooks-datascience-deps), confirming that uv's override-dependencies correctly forces the appropriate version. The keras~=3.12.0 is pinned to the specified version as well.

To confirm the keras~=3.12.0 override is required, either check ROCm TensorFlow 2.18.1's declared keras dependency or test with the keras constraint removed.

manifests/base/jupyter-tensorflow-notebook-imagestream.yaml (2)

38-38: LGTM! Numpy version aligns with the datascience dependencies.

The numpy version update from 2.1 to 2.3 correctly reflects the numpy~=2.3.4 specification in the dependencies/datascience/pyproject.toml subproject.

---

1-100: Verify validation script scoping for TensorFlow/TensorFlow-ROCm checks.

The CUDA-based manifest correctly contains only "TensorFlow" entries, while the separate ROCm manifest properly contains "TensorFlow-ROCm" entries. However, if the validation pipeline is reporting a TensorFlow-ROCm version check failure against the CUDA manifest, confirm:

1. The validation script (ci/check-software-versions.py) has correct command mappings matching the dependency names used in manifests—it currently maps "ROCm-TensorFlow" but manifests use "TensorFlow-ROCm"
2. The validation is correctly selecting the appropriate manifest file (CUDA vs ROCm) before running checks
3. The test that validates manifest consistency properly scopes checks by image type

The manifest separation itself is correct, but the validation tooling needs verification to ensure it doesn't attempt TensorFlow-ROCm checks on CUDA images.

jupyter/datascience/ubi9-python-3.12/pyproject.toml (1)

6-20: LGTM! Subproject integration is correctly implemented.

The transition to modular subproject dependencies is well-executed. The relative paths (three levels up from jupyter/datascience/ubi9-python-3.12/) correctly resolve to the dependencies/ directory, and all five subprojects follow the consistent naming convention.

dependencies/datascience/pyproject.toml (2)

1-32: LGTM! Subproject structure aligns with PR objectives.

The datascience dependency subproject is correctly structured with:

• package = false to indicate it's a dependency-only subproject
• Comprehensive data science stack with modern versions
• Appropriate environment constraints for Linux/CPython

---

6-25: Update several dependencies to their latest stable versions.

The dependency versions need updating:

• scikit-learn~=1.7.2 → should be updated to ~=1.8.0 (released Dec 10, 2025)
• kubeflow-training==1.9.3 → should be evaluated for upgrade to v2.1.0 (current Trainer v2 release; v1.9.3 is the legacy Training Operator)
• numpy~=2.3.4 → consider ~=2.4.0 (latest, released Dec 20, 2025)
• boto3~=1.40.52 → consider ~=1.40.63 for latest patches

scipy~=1.16.2, skl2onnx~=1.19.1, and other major packages are current.

tests/test_main.py (3)

32-38: LGTM! Well-designed helper function.

The helper function correctly identifies subproject meta-packages using a clear naming convention. The documentation is comprehensive and explains the integration with the lock file generation process.

---

93-103: LGTM! Correct validation logic for subproject exclusion.

The test correctly validates that subproject meta-packages are excluded from pylock.toml as expected by the --no-emit-package flag in the lock file generation script. The assertion provides a clear diagnostic message if the validation fails.

---

310-313: LGTM! Appropriate skip logic.

Correctly skips subproject meta-packages during version alignment checks, which is consistent with their exclusion from lock files.

jupyter/trustyai/ubi9-python-3.12/pyproject.toml (3)

32-37: LGTM! Subproject dependencies correctly declared.

The five subproject dependencies follow the expected naming convention and align with the PR's objective to modularize dependency management.

---

63-65: LGTM! Standard environment constraint.

The Linux CPython environment constraint is consistent with other subproject configurations across the repository.

---

43-47: All subproject paths in [tool.uv.sources] are valid and contain proper pyproject.toml files. No issues found.

jupyter/tensorflow/ubi9-python-3.12/pyproject.toml (2)

13-18: LGTM! Consistent subproject dependency structure.

The subproject dependencies are correctly declared and follow the same modular pattern as other notebook environments in this PR.

---

21-26: LGTM! Subproject paths follow standard pattern.

The [tool.uv.sources] paths are consistent with the relative path structure used across all notebook environments. These paths should be verified as part of the overall verification script generated for the trustyai file.

dependencies/base/pyproject.toml (1)

1-17: LGTM! Well-structured subproject meta-package.

This file correctly defines a dependency-only subproject with package = false (Line 13), which is essential for the subproject pattern. The minimal base dependencies (wheel, setuptools) are appropriate, and the environment constraint is consistent with other subprojects.

runtimes/minimal/ubi9-python-3.12/pylock.toml (1)

2-2: Header uv command correctly encodes no-emit subproject flags

The regenerated header reflects the six --no-emit-package arguments needed to keep subproject meta-packages out of the lock while inlining their trees; this aligns with the PR’s strategy and looks consistent with automated generation.

jupyter/pytorch/ubi9-python-3.12/pyproject.toml (1)

6-27: Appropriate hybrid approach: explicit PyTorch packages + subproject dependencies.

The configuration correctly preserves PyTorch-specific packages (tensorboard, torch, torchvision) with their custom index sources while delegating common dependencies to five subprojects. The [tool.uv.sources] section properly combines both index-based (PyTorch CUDA) and path-based (subprojects) resolution. All five subproject directories exist and the lock file correctly includes PyTorch packages while excluding the meta-package references.

jupyter/minimal/ubi9-python-3.12/pyproject.toml (1)

6-14: Update verification script to use correct lock file name.

The verification script checks for pylock.toml, but the correct lockfile for uv projects is uv.lock. Replace the lock file check in the verification script:

• Change: jupyter/minimal/ubi9-python-3.12/pylock.toml
• To: jupyter/minimal/ubi9-python-3.12/uv.lock

Additionally, the path-based entries from tool.uv.sources should not appear in the lock file—only the resolved package versions and hashes. The refactoring is structurally sound, but the verification approach needs correction.

runtimes/datascience/ubi9-python-3.12/pyproject.toml (1)

6-18: Datascience runtime dependency configuration is well-structured.

All four subproject dependencies exist and are correctly mapped to their respective paths: dependencies (base, elyra-runtime, datascience, db-connectors) are properly declared using the local path syntax in tool.uv.sources. The configuration accurately represents the full datascience stack and follows established patterns for workspace dependency management.

runtimes/minimal/ubi9-python-3.12/pyproject.toml (1)

6-14: Correct minimal runtime configuration.

The configuration appropriately includes base-deps and elyra-runtime-deps (for pipeline execution) rather than jupyterlab-deps. This distinction between runtime images (execution-focused) and jupyter images (interactive UI) is architecturally sound.

runtimes/rocm-tensorflow/ubi9-python-3.12/pylock.toml (1)

2-2: LGTM: Autogenerated command correctly includes all subproject exclusions.

The regenerated lock file header correctly includes --no-emit-package flags for all six dependency subprojects (notebooks-base-deps, notebooks-jupyterlab-deps, notebooks-jupyterlab-datascience-deps, notebooks-datascience-deps, notebooks-db-connectors-deps, notebooks-elyra-runtime-deps), which aligns with the PR objectives to exclude subproject meta-packages while expanding their dependency trees inline.

The Python version (3.12) correctly matches the directory path, and the command parameters appear appropriate for generating a self-contained lock file for Docker builds.

runtimes/pytorch/ubi9-python-3.12/pyproject.toml (2)

12-17: LGTM! Clean separation of PyTorch-specific and shared dependencies.

The refactoring correctly separates PyTorch-specific packages (tensorboard, torch, torchvision) from shared dependencies now managed via subprojects. The absence of JupyterLab-related subprojects appears intentional for this runtime.

---

22-25: Path mappings are correct and all subproject directories exist.

All four dependency subprojects are present and properly configured as dependency-only subprojects:

• dependencies/base
• dependencies/elyra-runtime
• dependencies/datascience
• dependencies/db-connectors

The relative paths from runtimes/pytorch/ubi9-python-3.12/ correctly resolve to each subproject.

runtimes/pytorch+llmcompressor/ubi9-python-3.12/pylock.toml (1)

2-2: LGTM! Command correctly documents subproject exclusion.

The updated generation command properly includes all six --no-emit-package flags for the dependency subprojects, aligning with the PR's goal of excluding meta-packages while expanding their dependency trees inline.

runtimes/tensorflow/ubi9-python-3.12/pyproject.toml (1)

13-24: LGTM! Subproject dependency configuration is well-structured.

The four subproject dependencies (notebooks-base-deps, notebooks-elyra-runtime-deps, notebooks-datascience-deps, notebooks-db-connectors-deps) are correctly declared and mapped to their respective paths. The relative paths (../../../dependencies/...) correctly navigate from runtimes/tensorflow/ubi9-python-3.12/ up to the repository root where the dependencies/ folder resides.

codeserver/ubi9-python-3.12/pylock.toml (4)

1-5: LGTM! Header correctly lists excluded subproject meta-packages.

The updated command header correctly includes --no-emit-package flags for all six dependency subprojects, which aligns with the PR objective to exclude meta-packages while expanding their dependency trees inline.

---

3034-3036: The footer comment is correct and consistent with this project's actual dependencies.

This project only depends on 2 subproject packages (notebooks-base-deps and notebooks-datascience-deps), as shown in the pyproject.toml. The footer comment correctly reflects which packages were excluded from this specific project's resolved dependencies. The header command on Line 2 may specify 6 packages globally, but only 2 of them are actually used by this project—which is why only those 2 appear in the footer.

Likely an incorrect or invalid review comment.

---

196-205: Verify that the executing package downgrade (2.2.1 → 1.2.0) doesn't introduce breaking changes or security vulnerabilities.

Two packages were downgraded during lock file regeneration:

• click: 8.3.1 → 8.2.1 (minor patch downgrade between two fix releases with no stated breaking changes or security issues)
• executing: 2.2.1 → 1.2.0 (major version downgrade requiring verification)

The executing downgrade merits closer investigation, as it represents a significant version decrease. Verify that the codeserver code doesn't depend on features introduced in executing 2.0+ before accepting this downgrade.

---

1441-1447: No action required. The package onnxconverter-common (v1.13.0) is explicitly declared as a dependency in dependencies/datascience/pyproject.toml alongside skl2onnx. It is an intentional, direct project dependency—not an unintentional side effect of dependency restructuring.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix version number in comment.

The comment on Line 58 references "trustyai 0.6.1", but Line 30 declares "trustyai~=0.6.2". Update the comment to match the actual version in use.

🔎 Proposed fix

-    "jupyter-bokeh~=3.0.5",  # trustyai 0.6.1 depends on jupyter-bokeh~=3.0.5
+    "jupyter-bokeh~=3.0.5",  # trustyai 0.6.2 depends on jupyter-bokeh~=3.0.5

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	[tool.uv]
	override-dependencies = [
	# TrustyAI requires specific versions that differ from standard datascience
	"jupyter-bokeh~=3.0.5", # trustyai 0.6.1 depends on jupyter-bokeh~=3.0.5
	"numpy~=1.26.4", # TrustyAI requires this specific version
	"pandas~=1.5.3", # TrustyAI requires this specific version
	]
	[tool.uv]
	override-dependencies = [
	# TrustyAI requires specific versions that differ from standard datascience
	"jupyter-bokeh~=3.0.5", # trustyai 0.6.2 depends on jupyter-bokeh~=3.0.5
	"numpy~=1.26.4", # TrustyAI requires this specific version
	"pandas~=1.5.3", # TrustyAI requires this specific version
	]

🤖 Prompt for AI Agents

In jupyter/trustyai/ubi9-python-3.12/pyproject.toml around lines 54 to 61, the
inline comment for jupyter-bokeh references "trustyai 0.6.1" but the project
declares trustyai~=0.6.2; update the comment to reference the correct version
(0.6.2) so comments match the declared dependency version.

[jiridanek]

I'll be doing this in

• update trusty #2796

[coderabbitai]

@jiridanek, thank you for confirming! I'll look forward to seeing the fix in PR #2796. 🐰