Poetry Pep621 still only transitive dependencies are updated

[TheSuperiorStanislav]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

poetry

Package manager version

2.2.1

Language version

3.14

Manifest location and content before the Dependabot update

[tool.poetry]
package-mode = false

[project]
name = "project"
version = "0.0.0"
requires-python = "==3.14.*"
classifiers = ["Private :: Do Not Upload"]
dependencies = [
  # Django packages
  # Main framework
  # https://www.djangoproject.com/
  "django==5.*",
  # Different useful Django utils
  # https://django-extensions.readthedocs.io/en/latest/
  "django-extensions==4.1",
  # Filter querysets dynamically
  # https://django-filter.readthedocs.io/en/stable/
  "django-filter==25.2",
  # Case insensitive model fields
  # https://github.com/voiio/django-citext
  "django-citext==1.0.2",
  # Storage to AWS S3
  # https://django-storages.readthedocs.io/en/latest/
  "django-storages[boto3]==1.14.6",
  # Periodic tasks
  # https://github.com/celery/django-celery-beat
  "django-celery-beat==2.8.1",
  # Redis cache backend for Django
  # https://github.com/jazzband/django-redis
  "django-redis==6.0.0",
  # Django health check
  # This project checks for various conditions and provides reports when anomalous behavior is detected.
  # https://github.com/revsys/django-health-check
  "django-health-check==4.0.0",
  # Utility that helps handle DATABASE_URL environment variable
  # https://github.com/jazzband/dj-database-url
  "dj-database-url==3.0.1",
  # Track field’s in-memory value is different to the saved value in the database.
  # https://django-dirtyfields.readthedocs.io/en/stable/
  "django-dirtyfields==1.9.7",

  # DRF packages
  # Django REST Framework
  # https://www.django-rest-framework.org/
  "djangorestframework==3.16.1",
  # Secure token-based auth for drf
  # https://github.com/jazzband/django-rest-knox/
  "django-rest-knox==5.0.2",
  # OpenApi auto specs generator
  # https://drf-spectacular.readthedocs.io/en/latest/
  "drf-spectacular==0.29.0",
  # Standardize DRF API error responses with drf-spectacular support
  # https://drf-standardized-errors.readthedocs.io/en/latest/
  "drf-standardized-errors[openapi]==0.15.0",

  # Other packages
  # Decouple helps you to organize your settings so that you can change
  # parameters without having to redeploy your app.
  # https://github.com/HBNetwork/python-decouple
  "python-decouple==3.8",
  # Python client for Sentry
  # https://docs.sentry.io/platforms/python/guides/django/
  "sentry-sdk==2.43.0",
  # Provides a rich toolkit to help you make the most of using Python interactively
  # https://ipython.readthedocs.io/en/stable/
  "ipython==9.7.0",
  # Low-level library for working with images
  # https://pillow.readthedocs.io/en/stable/
  "pillow==12.0.0",
  # HTML sanitizing library that escapes or strips markup and attributes
  # https://github.com/matthiask/html-sanitizer
  "html-sanitizer==2.6.0",
  # Needed for faster boto3 resolution
  # https://github.com/boto/botocore/issues/2926
  "urllib3==2.6.3",
  # Database abstraction layer
  # https://pypi.org/project/psycopg-binary/
  "psycopg[binary]==3.2.12",
  # Celery
  # https://docs.celeryproject.org/en/stable/
  "celery[redis]==5.5.3",
  # DateTime manipulation library
  # https://arrow.readthedocs.io/en/stable/
  "arrow==1.4.0",
  # Prettified output in logging
  # https://rich.readthedocs.io/en/latest/introduction.html
  "rich==14.2.0",
  # Convert Markdown syntax into HTML
  # https://github.com/lepture/mistune
  # Performance: https://github.com/lepture/mistune?tab=readme-ov-file#benchmarks
  "mistune==3.1.4",
  # Tools For S3 Used By Saritasa
  # https://github.com/saritasa-nest/saritasa-s3-tools
  "saritasa-s3-tools[django,django-openapi,testing]==0.5.0",
  # Tools For DRF Used By Saritasa
  # https://github.com/saritasa-nest/saritasa-drf-tools
  "saritasa-drf-tools[filter,openapi]==0.1.0",

  # Library provides convenient access to the OpenAI REST API
  # https://github.com/openai/openai-python
  "openai==2.7.2",

  # Devops packages
  # The uWSGI server as a Python module
  # https://pypi.org/project/pyuwsgi/
  "pyuwsgi==2.0.30",
  # uwsgitop is a top-like command that uses the uWSGI Stats Server to monitor your uwsgi application.
  # https://pypi.org/project/uwsgitop/
  "uwsgitop==0.12",
]

[dependency-groups]
dev = [
  # The Django Debug Toolbar is a configurable set of panels that display various debug information
  # about the current request/response and when clicked, display more details about the panel's content.
  # https://django-debug-toolbar.readthedocs.io/en/latest/
  "django-debug-toolbar==6.1.0",
  # Exports functions to access the IPython debugger, which features tab completion, syntax highlighting, better tracebacks
  # https://github.com/gotcha/ipdb
  "ipdb==0.13.13",
]
local = [
  # Needed to run runserver_plus
  # https://github.com/pallets/werkzeug
  "werkzeug==3.1.5",
  # Provide management command to check if primary database is ready to accept
  # connections
  # https://github.com/painless-software/django-probes
  "django-probes==1.7.0",
  # Control CORS headers from within the app
  # CORS is managed by Nginx in a production environment,
  # but this package provides CORS for local development with a local frontend.
  # https://pypi.org/project/django-cors-headers/
  "django-cors-headers==4.9.0",
  # Collection of invoke commands used by Saritasa
  # Invoke is a Python (2.7 and 3.4+) task execution tool & library,
  # drawing inspiration from various sources to arrive at a powerful & clean feature set.
  # http://www.pyinvoke.org/
  # https://github.com/saritasa-nest/saritasa-python-invocations/
  "saritasa-invocations[env-settings]==1.9.0",
  # A framework for managing and maintaining multi-language pre-commit hooks.
  # https://pre-commit.com/
  "pre-commit==4.3.0",
  # A library and CLI app for rendering project templates.
  # https://copier.readthedocs.io/en/latest/
  "copier==9.10.3",
]
test = [
  # Makes it easy to write small tests, yet scales to support complex functional testing
  # https://github.com/pytest-dev/pytest/
  "pytest==9.0.0",
  # Provides useful tools for testing Django apps
  # Docs https://pytest-django.readthedocs.io/en/latest/
  "pytest-django==4.11.1",
  # To run test in parallel
  # Docs: https://pypi.org/project/pytest-xdist/
  "pytest-xdist==3.8.0",
  # To prettify pytest output
  "pytest-sugar==1.1.1",
  # Allows you to use fixtures in @pytest.mark.parametrize.
  # https://pypi.org/project/pytest-lazy-fixtures/
  "pytest-lazy-fixtures==1.3.4",
  # This plugin produces coverage reports.
  # https://pytest-cov.readthedocs.io/en/latest/index.html
  "pytest-cov==7.0.0",
  # Provides a mocker fixture which is a thin-wrapper around the patching API provided by the mock package
  # https://github.com/pytest-dev/pytest-mock/
  "pytest-mock==3.15.1",
  # Fast creating of model instances. May be used in tests
  # https://factoryboy.readthedocs.io/en/stable/
  "factory-boy==3.3.3",
]

dependabot.yml content

# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: weekly
    time: "21:00"
    day: "monday"
  commit-message:
    prefix: "[automated-commit] "
  labels:
    - "automated-pr"
  groups:
    pip:
      patterns:
      - "*"
  allow:
    - dependency-name: "*"
      dependency-type: "all"

Updated dependency

Bumps the pip group with 4 updates: boto3, boto3-stubs, botocore and filelock.

Updates boto3 from 1.42.50 to 1.42.53

Commits

• ab66554 Merge branch 'release-1.42.53'
• dfa0446 Bumping version to 1.42.53
• 4399285 Add changelog entries from botocore
• d08d5d2 Merge branch 'release-1.42.52'
• 16b1743 Merge branch 'release-1.42.52' into develop
• 89e187c Bumping version to 1.42.52
• bf52251 Add changelog entries from botocore
• 6d6ff5b Update legacy documentation links (#4722)
• bf41321 Merge branch 'release-1.42.51'
• 80224c1 Merge branch 'release-1.42.51' into develop
• Additional commits viewable in compare view

Updates boto3-stubs from 1.42.50 to 1.42.53

Release notes

Sourced from boto3-stubs's releases.

8.8.0 - Python 3.8 runtime is back

Changed

• [services] install_requires section is calculated based on dependencies in use, so typing-extensions version is set properly
• [all] Replaced typing imports with collections.abc with a fallback to typing for Python <3.9
• [all] Added aliases for builtins.list, builtins.set, builtins.dict, and builtins.type, so Python 3.8 runtime should work as expected again (reported by @​YHallouard in #340 and @​Omri-Ben-Yair in #336)
• [all] Unions use the same type annotations as the rest of the structures due to proper fallbacks

Fixed

• [services] Universal input/output shapes were not replaced properly in service subresources
• [docs] Simplified doc links rendering for services
• [services] Cleaned up unnecessary imports in client.pyi
• [builder] Import records with fallback are always rendered

Commits

• See full diff in compare view

Updates botocore from 1.42.50 to 1.42.53

Commits

• de615b8 Merge branch 'release-1.42.53'
• a1ee10b Bumping version to 1.42.53
• e4fa062 Update to latest models
• d1efb3b Add support for sha512, xxhash algorithms, and MD5 for httpchecksums (#3637)
• 7cdfafa Merge branch 'release-1.42.52'
• 1e787fd Merge branch 'release-1.42.52' into develop
• a17421e Bumping version to 1.42.52
• 26e48b2 Update endpoints model
• d4e16d1 Update to latest models
• 49946ac Remove application-autoscaling smoke tests (#3636)
• Additional commits viewable in compare view

Updates filelock from 3.24.2 to 3.24.3

Release notes

Sourced from filelock's releases.

3.24.3

What's Changed

• 🐛 fix(ci): add trailing blank line after changelog entries by @​gaborbernat in tox-dev/filelock#492
• 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire by @​gaborbernat in tox-dev/filelock#495

Full Changelog: tox-dev/filelock@3.24.2...3.24.3

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.24.3 (2026-02-19)

---

• 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire :pr:495
• 🐛 fix(ci): add trailing blank line after changelog entries :pr:492

---

3.24.2 (2026-02-16)

---

• 🐛 fix(rw): close sqlite3 cursors and skip SoftFileLock Windows race :pr:491
• 🐛 fix(test): resolve flaky write non-starvation test :pr:490
• 📝 docs: restructure using Diataxis framework :pr:489

---

3.24.1 (2026-02-15)

---

• 🐛 fix(soft): resolve Windows deadlock and test race condition :pr:488

---

3.24.0 (2026-02-14)

---

• ✨ feat(lock): add lifetime parameter for lock expiration (#68) :pr:486
• ✨ feat(lock): add cancel_check to acquire (#309) :pr:487
• 🐛 fix(api): detect same-thread self-deadlock :pr:481
• ✨ feat(mode): respect POSIX default ACLs (#378) :pr:483
• 🐛 fix(win): eliminate lock file race in threaded usage :pr:484
• ✨ feat(lock): add poll_interval to constructor :pr:482
• 🐛 fix(unix): auto-fallback to SoftFileLock on ENOSYS :pr:480

---

3.23.0 (2026-02-14)

---

• 📝 docs: move from Unlicense to MIT :pr:479
• 📝 docs: add fasteners to similar libraries :pr:478

---

3.22.0 (2026-02-14)

---

• 🐛 fix(soft): skip stale detection on Windows :pr:477
• ✨ feat(soft): detect and break stale locks :pr:476

... (truncated)

Commits

• b34b3df Release 3.24.3
• e266937 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire (#495)
• e65c3b8 [pre-commit.ci] pre-commit autoupdate (#493)
• a67ae00 🐛 fix(ci): add trailing blank line after changelog entries (#492)
• See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
boto3	[>= 1.36.2.dev0, < 1.36.3]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

What you expected to see, versus what you actually saw

Pillow, copier, and the rest to be updated

Native package manager behavior

❯ poetry show --outdated
boto3                1.42.50 1.42.53 The AWS SDK for Python
boto3-stubs          1.42.50 1.42.53 Type annotations for boto3 1.42.50 generated with mypy-boto3-builder 8.12.0
botocore             1.42.50 1.42.53 Low-level, data-driven core of boto 3.
celery               5.5.3   5.6.2   Distributed Task Queue.
copier               9.10.3  9.11.3  A library for rendering project templates.
dj-database-url      3.0.1   3.1.2   Use Database URLs in your Django Application.
django               5.2.11  6.0.2   A high-level Python web framework that encourages rapid development and clean, pragmatic design.
django-citext        1.0.2   1.0.3   PostgreSQL CIText integration for Django.
django-debug-toolbar 6.1.0   6.2.0   A configurable set of panels that display various debug information about the current request/res...
django-dirtyfields   1.9.7   1.9.9   Tracking dirty fields on a Django model instance.
django-health-check  4.0.0   4.0.4   Monitor the health of your Django app and its connected services.
django-probes        1.7.0   1.8.0   Make Django wait until database is ready. Probes for Docker and Kubernetes.
filelock             3.24.2  3.24.3  A platform independent file lock.
ipython              9.7.0   9.10.0  IPython: Productive Interactive Computing
kombu                5.5.4   5.6.2   Messaging library for Python.
mistune              3.1.4   3.2.0   A sane and fast Markdown parser with useful plugins and renderers
openai               2.7.2   2.21.0  The official Python library for the openai API
pillow               12.0.0  12.1.1  Python Imaging Library (fork)
pre-commit           4.3.0   4.5.1   A framework for managing and maintaining multi-language pre-commit hooks.
psycopg              3.2.12  3.3.3   PostgreSQL database adapter for Python
psycopg-binary       3.2.12  3.3.3   PostgreSQL database adapter for Python -- C optimisation distribution
pytest               9.0.0   9.0.2   pytest: simple powerful testing with Python
pytest-django        4.11.1  4.12.0  A Django plugin for pytest.
pytest-lazy-fixtures 1.3.4   1.4.0   Allows you to use fixtures in @pytest.mark.parametrize.
redis                5.2.1   7.2.0   Python client for Redis database and key-value store
rich                 14.2.0  14.3.3  Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal
saritasa-drf-tools   0.1.0   0.3.0   Tools For DRF Used By Saritasa
saritasa-invocations 1.9.0   1.9.1   Collection of invoke commands used by Saritasa
saritasa-s3-tools    0.5.0   0.6.0   Tools For S3 Used By Saritasa
sentry-sdk           2.43.0  2.53.0  Python client for Sentry (https://sentry.io)
werkzeug             3.1.5   3.1.6   The comprehensive WSGI web application library.

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

pyproject.toml

[tool.poetry]
package-mode = false

[project]
name = "project"
version = "0.0.0"
requires-python = "==3.14.*"
classifiers = ["Private :: Do Not Upload"]
dependencies = [
  # Django packages
  # Main framework
  # https://www.djangoproject.com/
  "django==5.*",
  # Different useful Django utils
  # https://django-extensions.readthedocs.io/en/latest/
  "django-extensions==4.1",
  # Filter querysets dynamically
  # https://django-filter.readthedocs.io/en/stable/
  "django-filter==25.2",
  # Case insensitive model fields
  # https://github.com/voiio/django-citext
  "django-citext==1.0.2",
  # Storage to AWS S3
  # https://django-storages.readthedocs.io/en/latest/
  "django-storages[boto3]==1.14.6",
  # Periodic tasks
  # https://github.com/celery/django-celery-beat
  "django-celery-beat==2.8.1",
  # Redis cache backend for Django
  # https://github.com/jazzband/django-redis
  "django-redis==6.0.0",
  # Django health check
  # This project checks for various conditions and provides reports when anomalous behavior is detected.
  # https://github.com/revsys/django-health-check
  "django-health-check==4.0.0",
  # Utility that helps handle DATABASE_URL environment variable
  # https://github.com/jazzband/dj-database-url
  "dj-database-url==3.0.1",
  # Track field’s in-memory value is different to the saved value in the database.
  # https://django-dirtyfields.readthedocs.io/en/stable/
  "django-dirtyfields==1.9.7",

  # DRF packages
  # Django REST Framework
  # https://www.django-rest-framework.org/
  "djangorestframework==3.16.1",
  # Secure token-based auth for drf
  # https://github.com/jazzband/django-rest-knox/
  "django-rest-knox==5.0.2",
  # OpenApi auto specs generator
  # https://drf-spectacular.readthedocs.io/en/latest/
  "drf-spectacular==0.29.0",
  # Standardize DRF API error responses with drf-spectacular support
  # https://drf-standardized-errors.readthedocs.io/en/latest/
  "drf-standardized-errors[openapi]==0.15.0",

  # Other packages
  # Decouple helps you to organize your settings so that you can change
  # parameters without having to redeploy your app.
  # https://github.com/HBNetwork/python-decouple
  "python-decouple==3.8",
  # Python client for Sentry
  # https://docs.sentry.io/platforms/python/guides/django/
  "sentry-sdk==2.43.0",
  # Provides a rich toolkit to help you make the most of using Python interactively
  # https://ipython.readthedocs.io/en/stable/
  "ipython==9.7.0",
  # Low-level library for working with images
  # https://pillow.readthedocs.io/en/stable/
  "pillow==12.0.0",
  # HTML sanitizing library that escapes or strips markup and attributes
  # https://github.com/matthiask/html-sanitizer
  "html-sanitizer==2.6.0",
  # Needed for faster boto3 resolution
  # https://github.com/boto/botocore/issues/2926
  "urllib3==2.6.3",
  # Database abstraction layer
  # https://pypi.org/project/psycopg-binary/
  "psycopg[binary]==3.2.12",
  # Celery
  # https://docs.celeryproject.org/en/stable/
  "celery[redis]==5.5.3",
  # DateTime manipulation library
  # https://arrow.readthedocs.io/en/stable/
  "arrow==1.4.0",
  # Prettified output in logging
  # https://rich.readthedocs.io/en/latest/introduction.html
  "rich==14.2.0",
  # Convert Markdown syntax into HTML
  # https://github.com/lepture/mistune
  # Performance: https://github.com/lepture/mistune?tab=readme-ov-file#benchmarks
  "mistune==3.1.4",
  # Tools For S3 Used By Saritasa
  # https://github.com/saritasa-nest/saritasa-s3-tools
  "saritasa-s3-tools[django,django-openapi,testing]==0.5.0",
  # Tools For DRF Used By Saritasa
  # https://github.com/saritasa-nest/saritasa-drf-tools
  "saritasa-drf-tools[filter,openapi]==0.1.0",

  # Library provides convenient access to the OpenAI REST API
  # https://github.com/openai/openai-python
  "openai==2.7.2",

  # Devops packages
  # The uWSGI server as a Python module
  # https://pypi.org/project/pyuwsgi/
  "pyuwsgi==2.0.30",
  # uwsgitop is a top-like command that uses the uWSGI Stats Server to monitor your uwsgi application.
  # https://pypi.org/project/uwsgitop/
  "uwsgitop==0.12",
]

[dependency-groups]
dev = [
  # The Django Debug Toolbar is a configurable set of panels that display various debug information
  # about the current request/response and when clicked, display more details about the panel's content.
  # https://django-debug-toolbar.readthedocs.io/en/latest/
  "django-debug-toolbar==6.1.0",
  # Exports functions to access the IPython debugger, which features tab completion, syntax highlighting, better tracebacks
  # https://github.com/gotcha/ipdb
  "ipdb==0.13.13",
]
local = [
  # Needed to run runserver_plus
  # https://github.com/pallets/werkzeug
  "werkzeug==3.1.5",
  # Provide management command to check if primary database is ready to accept
  # connections
  # https://github.com/painless-software/django-probes
  "django-probes==1.7.0",
  # Control CORS headers from within the app
  # CORS is managed by Nginx in a production environment,
  # but this package provides CORS for local development with a local frontend.
  # https://pypi.org/project/django-cors-headers/
  "django-cors-headers==4.9.0",
  # Collection of invoke commands used by Saritasa
  # Invoke is a Python (2.7 and 3.4+) task execution tool & library,
  # drawing inspiration from various sources to arrive at a powerful & clean feature set.
  # http://www.pyinvoke.org/
  # https://github.com/saritasa-nest/saritasa-python-invocations/
  "saritasa-invocations[env-settings]==1.9.0",
  # A framework for managing and maintaining multi-language pre-commit hooks.
  # https://pre-commit.com/
  "pre-commit==4.3.0",
  # A library and CLI app for rendering project templates.
  # https://copier.readthedocs.io/en/latest/
  "copier==9.10.3",
]
test = [
  # Makes it easy to write small tests, yet scales to support complex functional testing
  # https://github.com/pytest-dev/pytest/
  "pytest==9.0.0",
  # Provides useful tools for testing Django apps
  # Docs https://pytest-django.readthedocs.io/en/latest/
  "pytest-django==4.11.1",
  # To run test in parallel
  # Docs: https://pypi.org/project/pytest-xdist/
  "pytest-xdist==3.8.0",
  # To prettify pytest output
  "pytest-sugar==1.1.1",
  # Allows you to use fixtures in @pytest.mark.parametrize.
  # https://pypi.org/project/pytest-lazy-fixtures/
  "pytest-lazy-fixtures==1.3.4",
  # This plugin produces coverage reports.
  # https://pytest-cov.readthedocs.io/en/latest/index.html
  "pytest-cov==7.0.0",
  # Provides a mocker fixture which is a thin-wrapper around the patching API provided by the mock package
  # https://github.com/pytest-dev/pytest-mock/
  "pytest-mock==3.15.1",
  # Fast creating of model instances. May be used in tests
  # https://factoryboy.readthedocs.io/en/stable/
  "factory-boy==3.3.3",
]