Dependabot selects the wrong file as a dependency under the pip ecosystem
Zxilly opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
pip
Package manager version
pip 24.0
Language version
Python 3.12
Manifest location and content before the Dependabot update
https://github.com/Zxilly/go-size-analyzer/blob/master/scripts/requirements.txt
dependabot.yml content
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"
# - package-ecosystem: "npm"
# directory: "/ui"
# schedule:
# interval: "daily"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "pip"
directory: "/scripts"
schedule:
interval: "daily"
Updated dependency
No response
What you expected to see, versus what you actually saw
dependabot should read dependecies from requirements.txt
which locates at https://github.com/Zxilly/go-size-analyzer/blob/3d58b6d6f93783e7d3fffa03ac0128758418c899/scripts/requirements.txt. However, it reads data from skip.txt
, which is a data file which not related to the package manager.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
https://github.com/Zxilly/go-size-analyzer/actions/runs/9508733973/job/26210566565
Smallest manifest that reproduces the issue
version: 2
updates:
- package-ecosystem: "pip"
directory: "/scripts"
schedule:
interval: "daily"
Seems dependabot has some rules to search for deps file (#3940), it's obvious that it's broken right now.
I known little about ruby so I may not be able to help.
Seems
dependabot-core/python/helpers/lib/parser.py
Lines 83 to 87 in fff2779