As far as I can tell dependendabot cannot be configured to upgrade pinned dependencies (requirements/*.txt) as the dependencies have new releqses: the versioning-strategy configuration only applies to the constrained dependencies (requirements/*.in) and requirements/*.txt will never be upgraded unless the constraints force an upgrade.
#215 is a practical problem right now but in general I don't think we should be running potentially very old software just because nothing explicitly requires newer versions.
Let's consider a workflow that runs uv pip compile --upgrade --generate-hashes and files a PR periodically
As far as I can tell dependendabot cannot be configured to upgrade pinned dependencies (
requirements/*.txt) as the dependencies have new releqses: theversioning-strategyconfiguration only applies to the constrained dependencies (requirements/*.in) and requirements/*.txt will never be upgraded unless the constraints force an upgrade.#215 is a practical problem right now but in general I don't think we should be running potentially very old software just because nothing explicitly requires newer versions.
Let's consider a workflow that runs
uv pip compile --upgrade --generate-hashesand files a PR periodically