Skip to content

Extra dependencies of transitive dependencies are not properly installed when USE_UV=true #3558

New issue
New issue
Closed
#3559
Closed
Extra dependencies of transitive dependencies are not properly installed when USE_UV=true#3558
#3559
Assignees
frostming
Labels
🐛 bugSomething isn't working
@michaelze

Description

@michaelze
michaelze
opened on Jun 26, 2025

Describe the bug

When you add a dependency to your project that itself has a dependency to some package and specifies extras for that dependency, those extra dependencies do not get installed with pdm add. This is also true, when the environment is recreated from a pyproject.toml and the corresponding pdm.lock file.

To reproduce

  1. Create a new empty project: pdm init --project test --python path/to/python -n
  2. Add a dependency that has itself a dependency with extras (I tested with cyclonedx-bom): PDM_USE_UV=true pdm add cyclonedx-bom
  3. Try to use cyclonedx: .venv/bin/python -m cyclonedx_py env .venv/
    Error: 
    CRITICAL | CDX > This functionality requires optional dependencies.
Please install `cyclonedx-python-lib` with the extra "json-validation".

Repeat the same 3 steps but set PDM_USE_UV=false when adding the dependency and the command from the third step produces a cyclonedx sbom file (i.e. all required dependencies are installed).

One can also clearly see, that the environment installed during the bad test contains way less packages (13) versus the good test (32).

Expected Behavior

Extra dependencies of transitive dependencies should also be installed.

Environment Information

PDM version:
  2.25.4.dev4+g490bb0f7
Python Interpreter:
  /home/<user-redacted>/tmp/pdm-uv-test-cyclonedx-bom/test/.venv/bin/python (3.10)
Project Root:
  /home/<user-redacted>/tmp/pdm-uv-test-cyclonedx-bom/test
Local Packages:

{
  "implementation_name": "cpython",
  "implementation_version": "3.10.17",
  "os_name": "posix",
  "platform_machine": "x86_64",
  "platform_release": "6.6.87.2-microsoft-standard-WSL2",
  "platform_system": "Linux",
  "platform_version": "#1 SMP PREEMPT_DYNAMIC Thu Jun  5 18:30:46 UTC 2025",
  "python_full_version": "3.10.17",
  "platform_python_implementation": "CPython",
  "python_version": "3.10",
  "sys_platform": "linux"
}

Verbose Command Output

pdm-add.txt

Additional Context

I had a quick look into the pdm.lock file for both variants (installed with uv and without) and it seems, that the information about the cyclonedx-bom package in the pdm.lock file created with the help of uv does not specify the [validation] extras for its cyclonedx-python-lib dependency, whereas the pdm.lock file created with just PDM does:

Created with uv:

[[package]]
name = "cyclonedx-bom"
version = "6.1.1"
summary = ""
dependencies = [
    "chardet",
    "cyclonedx-python-lib",
    "packageurl-python",
    "packaging",
    "pip-requirements-parser",
    "tomli",
]
files = [
    {file = "cyclonedx_bom-6.1.1-py3-none-any.whl", hash = "sha256:7aa1f227d0c715ad7473c423e78185d5e17e584de4fd43f3dda7a2c1d3aa7208"},
    {file = "cyclonedx_bom-6.1.1.tar.gz", hash = "sha256:2523a1879b5cd4fd77be68a000c718cde80c17908a8374a17414eb8c9aa7cf20"},
]

Created with just pdm:

[[package]]
name = "cyclonedx-bom"
version = "6.1.1"
requires_python = "<4.0,>=3.9"
summary = "CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments"
groups = ["default"]
dependencies = [
    "chardet<6.0,>=5.1",
    "cyclonedx-python-lib[validation]<11,>=8.0",
    "packageurl-python<2,>=0.11",
    "packaging<26,>=22",
    "pip-requirements-parser<33.0,>=32.0",
    "tomli<3.0.0,>=2.0.1; python_version < \"3.11\"",
]
files = [
    {file = "cyclonedx_bom-6.1.1-py3-none-any.whl", hash = "sha256:7aa1f227d0c715ad7473c423e78185d5e17e584de4fd43f3dda7a2c1d3aa7208"},
    {file = "cyclonedx_bom-6.1.1.tar.gz", hash = "sha256:2523a1879b5cd4fd77be68a000c718cde80c17908a8374a17414eb8c9aa7cf20"},
]

When using uv to add the dependency, the uv.lock file contains the missing information:

[[package]]
name = "cyclonedx-bom"
version = "6.1.1"
source = { registry = "https://scout.bsiag.com/repository/api/pypi/pypi-remote/simple" }
dependencies = [
    { name = "chardet" },
    { name = "cyclonedx-python-lib", extra = ["validation"] },
    { name = "packageurl-python" },
    { name = "packaging" },
    { name = "pip-requirements-parser" },
    { name = "tomli" },
]
sdist = { url = "https://scout.bsiag.com/repository/api/pypi/pypi-remote/packages/packages/98/a5/796b6e58ea9a13af3a9776ff4a4c7ee9108debe9461a129d121257146cd3/cyclonedx_bom-6.1.1.tar.gz", hash = "sha256:2523a1879b5cd4fd77be68a000c718cde80c17908a8374a17414eb8c9aa7cf20" }
wheels = [
    { url = "https://scout.bsiag.com/repository/api/pypi/pypi-remote/packages/packages/67/00/7dac00d6e66aa6569aa9dfb55821d7db689fbf1c439894cff1b6f73df51d/cyclonedx_bom-6.1.1-py3-none-any.whl", hash = "sha256:7aa1f227d0c715ad7473c423e78185d5e17e584de4fd43f3dda7a2c1d3aa7208" },
]

Are you willing to submit a PR to fix this bug?

  • Yes, I would like to submit a PR.

Metadata

Metadata

Assignees

Labels

🐛 bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions