Dependabot Pip: What filename formats does it look for?

I have enabled dependency monitoring for a pip project. I’ve set the “directory” to be “requirements/”, and it successfully picks up “requirements/test.txt”. However, there is also a “requirements/common.txt” which is entirely ignored. I’m not sure if there’s some naming system I’m unaware of that would cause requirements/test.txt to be recognized as a dependency file but not requirements/common.txt.

1 Like

:wave: Welcome!

That’s interesting that requirements/test.txt worked! We do have a list of recommended formats:

It looks like for PIP, they recommend pipfile.lock or requirements.txt

1 Like

Thanks. Upon further inspection of the logfile of the latest run, it looks like it mentioned requirements/common.txt but maybe it couldn’t parse it (there are no clear error messages though, so I’m not sure) .

I think the culprit may be that common.txt has a github link in it; the kind that pip itself understands how to install but dependabot may not be able to parse. I’m testing this hypothesis right now, but am currently waiting for dependabot to run again.

Update: It was indeed that if there is a pip-compatible VCS line ( pip install - pip documentation v21.0.1 ), it prevents dependabot from doing anything with the entire file.

It can be worked around: by splitting the VCS line into another file. However, this prevents people from using a lot of standard pip features that have been around for ages. If dependabot ignored lines it couldn’t parse, developers would be able to use dependabot and pip’s standard featureset at the same time.

1 Like

Same problem here.

I have arguments in the requirements.txt and dependabot ignores the whole file

psycopg2==2.8.6 --no-binary psycopg2

For now I created another txt just for libs that have arguments and read it with -r