Dependabot broke pip package updates by forcing changes to lower bounds.

[jvesely]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pip

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

expected:
Dependabot should never break dependencies that are necessary to support Python versions supported by projects.

observed:
Dependabot is breaking support for older Python versions by creating PRs that suggest updating dependency lower bounds, which breaks support for older Python versions.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[domdfcoding]

Not only is it changing lower bounds it is also ignoring the open-pull-requests-limit of zero when making these PRs, but only on private repos (or at least I've not seen any on my public repos with that option set to zero). The setting has been respected in the past for private repos.

[AbhishekBhaskar]

@jvesely can you please share your manifest files (pyproject.toml/requirements.txt), dependabot.yml file and a link to the offending PR if possible? We bump the lower bounds on certain conditions like if the project is an application or doesn't have a pyproject.toml file. You can instead set versioning-strategy: widen-ranges (or increase-if-necessary) in the dependabot.yml to preserve lower bounds.

[jvesely]

Hi, example PR: PrincetonUniversity/PsyNeuLink#3523
The project doesn't have pyproject.toml file.
The requirements file has version ranges for all dependencies:

beartype>=0.11.0, <0.23.0
dill>=0.3.7, <0.4.2
fastkde>=2.0.0, <2.1.6
graph-scheduler>=1.2.1, <1.3.0
graphviz>=0.20.0, <0.22.0
grpcio>=1.60.0, <1.81.0
leabra-psyneulink>=0.3.2, <0.3.3
llvmlite>=0.40, <0.48
matplotlib>=3.7.0, <3.10.9
modeci_mdf>=0.4.3, <0.4.14; (platform_machine == 'AMD64' or platform_machine == 'x86_64' or platform_machine == 'arm64' or platform_machine == 'aarch64') and platform_python_implementation == 'CPython' and implementation_name == 'cpython'
networkx>=2.6, <3.7
numpy>=1.21.0, <2.3.6
optuna>=3.1.0, <4.9.0
packaging>=23.0, <27.0
pandas>=2.0.0, <3.0.3
pillow>=10.0.0, <12.3.0
pint>=0.20, <0.26.0
protobuf>=3.20.2, <7.34.2
psutil>=5.9.0, <7.2.3
rich>=10.7, <15.1
scipy>=1.7.3, <1.18
toposort>=1.7, <1.11
torch>=1.13.0, <2.12.0; (platform_machine == 'AMD64' or platform_machine == 'x86_64' or platform_machine == 'arm64' or platform_machine == 'aarch64') and platform_python_implementation == 'CPython' and implementation_name == 'cpython'

The original dependabot file was:

version: 2
updates:

  - package-ecosystem: "github-actions"
    directory: "/" # use top dir
    schedule:
      interval: "daily"
    target-branch: "devel"
    commit-message:
      prefix: "github-actions"
      include: "scope"
    labels:
      - "CI"
    rebase-strategy: "disabled"

  - package-ecosystem: "pip"
    directory: "/" # use top dir
    schedule:
      interval: "daily"
    target-branch: "devel"
    commit-message:
      prefix: "requirements"
    labels:
      - "deps"
    open-pull-requests-limit: 25
    rebase-strategy: "disabled"

I've since updated the versioning strategy to

versioning-strategy: "increase-if-necessary"

[jvesely]

However, the PRs autoclosed (personal fork of the repo), e.g jvesely/PsyNeuLink#669

Only after removing the .python-version file. With the file present, the python version would be set to 3.13, without the file I see:

updater | 2026/04/29 02:02:31 INFO <job_1341155378> Dependabot is using Python version '3.9.24'. [1]

That appears to be a root cause of the problem. It's not possible to determine both lower and upper bounds using a single Python version for projects that support multiple.
Lower bounds might need packages that still work with, e.g., Python 3.9, while upper bounds would need to include packages released, e.g., for Python 3.12/13/14 and later.

[1] https://github.com/jvesely/PsyNeuLink/actions/runs/25087254281/job/73505432560