Skip to content

fix(ci): ignore unresolvable pytest security update#1347

Open
TimeToBuildBob wants to merge 3 commits into
ActivityWatch:masterfrom
TimeToBuildBob:bob/fix-dependabot-pytest-39
Open

fix(ci): ignore unresolvable pytest security update#1347
TimeToBuildBob wants to merge 3 commits into
ActivityWatch:masterfrom
TimeToBuildBob:bob/fix-dependabot-pytest-39

Conversation

@TimeToBuildBob

@TimeToBuildBob TimeToBuildBob commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Dependabot security updates currently fail on the root Poetry project because pytest 9.0.3 is the first non-vulnerable release, but pytest 9 no longer supports Python 3.9. The ActivityWatch release workflow still builds on Python 3.9, so Dependabot cannot resolve that update without dropping the current build baseline.

This adds an explicit root pip entry only so the pytest ignore rule has a matching ecosystem entry to attach to. open-pull-requests-limit: 0 keeps pip version-update PRs disabled because those are still too noisy and easier to update by hand. Dependabot security-update PRs remain governed by the repository/org security settings, so this PR does not expand security-update coverage for other pip packages; it only ignores pytest 9+ until the build baseline moves to Python 3.10+.

Validation:

  • ruby -e 'require "yaml"; YAML.load_file("/tmp/worktrees/activitywatch-master-ci/.github/dependabot.yml"); puts "yaml ok"'
  • git diff --check -- .github/dependabot.yml

@greptile-apps

greptile-apps Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR activates a pip entry in .github/dependabot.yml solely to give Dependabot an ecosystem block to attach the pytest >=9 ignore rule to. The open-pull-requests-limit: 0 setting suppresses version-update PRs while leaving security-update behavior governed by repository settings, as it was before.

  • Adds package-ecosystem: pip with open-pull-requests-limit: 0, matching the intent of the previously-commented-out block (no version-update PRs) while enabling the ignore rule attachment.
  • Ignores pytest >= 9 explicitly, because pytest 9 is the first non-vulnerable release but dropped Python 3.9 support — which is still required by the ActivityWatch release workflow.

Confidence Score: 5/5

Safe to merge — this is a single-file CI config change with no effect on application code or production behavior.

The change is a minimal, well-scoped addition to the Dependabot config. The open-pull-requests-limit: 0 correctly suppresses only version-update PRs, the ignore rule targets exactly the unresolvable pytest alert, and the YAML is syntactically valid. The trade-off (accepting the existing pytest vulnerability until the Python 3.9 build baseline is dropped) is clearly documented in both the comment and PR description.

No files require special attention.

Important Files Changed

Filename Overview
.github/dependabot.yml Uncomments pip ecosystem entry with open-pull-requests-limit: 0 and an ignore rule that suppresses pytest ≥9 security-update PRs while Python 3.9 remains the build baseline.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot detects pip vulnerability] --> B{Is affected\npackage pytest?}
    B -- Yes --> C{Is fix version\n>= 9?}
    C -- Yes --> D[Ignore rule matches\nNo PR created]
    C -- No --> E[Security PR created\nif settings allow]
    B -- No --> E
    E --> F{open-pull-requests-limit}
    F -- 0 blocks version updates --> G[Version-update PR suppressed]
    F -- Security updates unaffected --> E
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Dependabot detects pip vulnerability] --> B{Is affected\npackage pytest?}
    B -- Yes --> C{Is fix version\n>= 9?}
    C -- Yes --> D[Ignore rule matches\nNo PR created]
    C -- No --> E[Security PR created\nif settings allow]
    B -- No --> E
    E --> F{open-pull-requests-limit}
    F -- 0 blocks version updates --> G[Version-update PR suppressed]
    F -- Security updates unaffected --> E
Loading

Reviews (2): Last reviewed commit: "docs(ci): clarify dependabot pip securit..." | Re-trigger Greptile

Comment thread .github/dependabot.yml
Comment on lines +18 to +29
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 0
ignore:
# pytest 9.x is the first non-vulnerable line for the current alert, but
# it no longer supports Python 3.9. The release workflow still builds
# ActivityWatch with Python 3.9, so Dependabot cannot resolve that update
# until the build baseline moves to Python 3.10+.
- dependency-name: "pytest"
versions: [">=9"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Security update PRs now enabled for all other pip deps

Before this change the pip entry was fully commented out, so Dependabot created zero security-update PRs for pip. open-pull-requests-limit: 0 suppresses only version-update PRs; it has no effect on security-update PRs (GitHub docs: "This does not affect any pending Dependabot security updates"). Activating the entry means security-update PRs will now appear for every vulnerable pip dependency except pytest ≥9. If that broader coverage is the intent, the PR is correct — but the description frames this purely as "ignore the pytest alert", so it's worth confirming the team is comfortable with security-update PRs for other pip packages starting to land.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch to double-check, but I don't think this changes the security-update surface for other pip deps.

Dependabot security updates run independently of dependabot.yml — GitHub enables them automatically for any detected manifest once "Dependabot security updates" is on for the repo, regardless of whether an ecosystem/directory has an explicit entry in the config file (that's also why the pytest alert was already firing and unresolvable before this PR, even though the pip entry was fully commented out). open-pull-requests-limit: 0 only suppresses version-update PRs for this entry, same as it did implicitly before.

So the net effect of this change is just the ignore rule silencing the specific unresolvable pytest ≥9 alert — it doesn't newly enable or expand security-update PRs for other pip packages; those were already possible. Uncommenting the block was necessary here only because ignore rules require a matching ecosystem entry to attach to.

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

I recorded work for this monitoring item, but the worker finished before posting the thread update. The delivery guard caught the missing reply and is closing the loop now.

Evidence: commit: dfd79aea07 docs(journal): PM — #1347 Greptile reply on dependabot pip scope

Session: 1ee07d18-39df-5c07-9cb9-b2a8435a4a4a

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

@greptileai review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant