Skip to content

Impossible resolution situation in dependabot job because dependencies are updated individually #13712

New issue
New issue
Open
Open
Impossible resolution situation in dependabot job because dependencies are updated individually#13712
Labels
L: pythonL: python:uvT: bug 🐞Something isn't working
@Zippy1999

Description

@Zippy1999
Zippy1999
opened on Dec 5, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

uv

Package manager version

uv

Language version

python

Manifest location and content before the Dependabot update

A problem occurred in a recent update job. I have two dependencies in pyproject.toml

boto3~=1.42.0
botocore~=1.41.6

Dependabot calculates that both of these can be updates

2025-12-05T03:08:48.8565536Z updater | 2025/12/05 03:08:48 INFO <job_1174765640> Creating dependency change for boto3 (1.42.3)
2025-12-05T03:09:57.6295910Z updater | 2025/12/05 03:09:57 INFO <job_1174765640> Creating dependency change for botocore (1.42.3)

Dependabot appears to update each dependency one by one, not altogether so when it tries to update boto3

uv sync
  × No solution found when resolving dependencies:
  ╰─▶ Because only boto3<=1.42.3 is available and boto3==1.42.3 depends on botocore>=1.42.3,<1.43.0, we can conclude that boto3>=1.42.3 depends on botocore>=1.42.3,<1.43.0.
      And because your project depends on boto3>=1.42.3 and botocore>=1.41.6,<1.42.dev0, we can conclude that your project's requirements are unsatisfiable.

and the entire job fails.

If I manually update both boto3 AND botocore at the same time to 1.42.3 and run uv sync, the uv.lock file is updated with no issues.

This leaves dependabot in an unusable state for our purposes. Our team does not want to loosen the dependencies in the files to allow a bigger range.

Can the job be changed so that all discovered updates are applied at the same time and not one by one?

dependabot.yml content

multi-ecosystem-groups:
xxx:
open-pull-requests-limit: 1
schedule:
interval: weekly
day: "friday"
time: "03:00"
commit-message:
prefix: '(xxx '

  • package-ecosystem: uv
    directory: /xxx
    insecure-external-code-execution: allow
    patterns:
    • '*'
      registries:
    • artifactory-pypi
      multi-ecosystem-group: xxx
      ignore:
    • dependency-name: "*"
      update-types: [ "version-update:semver-major" ]
    • dependency-name: marshmallow
    • dependency-name: marshmallow-oneofschema
    • dependency-name: aioresponses

Updated dependency

No response

What you expected to see, versus what you actually saw

Both packages updated at the same time without a conflict because both final package versions being updated are compatible with each other.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    L: pythonL: python:uvT: bug 🐞Something isn't working

    Type

    No type

    Projects

    Dependabot

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions