A little Dependabot help (original) (raw)

March 3, 2026, 8:21pm 1

I’m trying to wrap my head around the dependabot stuff. I have this dependabot.yml file in one repo:

version: 2
updates:
  - package-ecosystem: "pip" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
    cooldown:
      default-days: 14

I understand the schedule and cooldown stuff (which is what sent me down this rabbit hole), but I can’t understand the directory inside the package-ecosystem block. If I’ve given pip as the ecosystem, will dependabot know to look in and parse pyproject.toml? The python/cpython repo has both pip and github-actions ecosystems. I don’t understand why pip/directory is set to "/Tools/". Does it know to consider the requirements-*.txt files, or does it simply scan everything looking for patterns which smell like dependencies?

sirosen (Stephen Rosen) March 3, 2026, 9:19pm 2

I believe that the answer is “yes”, in that requirements(-.*)?\.txt smells like python dependencies.

They support all of the standard fields inside of pyproject.toml, as well as some common-but-not-standard formats, like requirements.txt, setup.cfg, poetry.lock, uv.lock, etc.

Your intuition here is correct. The directory path is setting the scope of Dependabot activity to a specific subdir, where it will look for anything that it recognizes as being in the Python ecosystem.

David has written a bit about how and why he moved off of Dependabot entirely and maintains gha-update for handling GitHub Actions updates.

I still feel ambivalent enough that I haven’t dropped dependabot. It’s very nice for some work projects because it will surface things like dependencies buried deep in a repo, in an easily missed requirements.txt.
But it’s worth being aware that you can produce more notifications than are really useful.

Two notes which may help:

1. Consider setting a longer interval than “weekly”
2. Try using “grouped updates” (I forget the syntax offhand)