Incorrect dependabot security alert due to constraints files


PIP allows to configure constraints files (see User Guide - pip documentation v21.0.1), but dependabot seems to confuse them for requirements.txt like files.

I use the constraints to allow upgrades to the latest minor (3.0.x), but never step over to the next major (3.1).


# stick to django 3.0 for now

# required pip packages
-c constraints.txt
# web framework

The proposal Dependabot gives: “Upgrade django to version 3.1.6 or later”
The justification: Vulnerable versions: >= 3.1, < 3.1.6; Patched version: 3.1.6

So I am not using a vunerable version, but it thinks I do.

What can I do to avoid these false positives?


Hi @RamonvdW ,

Thanks for bringing this up to the community. I am not sure if it was our intention to use Constraints files in the same way Requirements files are. I will need to do some digging here.

To your point, it doesn’t appear to be useful to treat these files like requirements.

Hi @RamonvdW

Are you able to provide a link to a repository where this is happening?


My nhbapps repo has this issue.



This project also has the issue with dependabot false-positives on the contraints.txt file:

This directory contains the requirements and constraints files:

Just wondering: would it help if I rename constraints.txt to ?