PIP allows to configure constraints files (see User Guide - pip documentation v21.0.1), but dependabot seems to confuse them for requirements.txt like files.
I use the constraints to allow upgrades to the latest minor (3.0.x), but never step over to the next major (3.1).
# stick to django 3.0 for now django<3.1
# required pip packages -c constraints.txt # web framework Django
The proposal Dependabot gives: “Upgrade django to version 3.1.6 or later”
The justification: Vulnerable versions: >= 3.1, < 3.1.6; Patched version: 3.1.6
So I am not using a vunerable version, but it thinks I do.
What can I do to avoid these false positives?