build(deps): bump requests from 2.25.1 to 2.33.0 in /src/test/resources/tst_manifests/pip/pip_pyproject_toml_uv_ignore#441
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [requests](https://github.com/psf/requests) from 2.25.1 to 2.33.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.25.1...v2.33.0) --- updated-dependencies: - dependency-name: requests dependency-version: 2.33.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Contributor
Test Results358 tests 357 ✅ 1m 57s ⏱️ For more details on these failures, see this check. Results for commit 6b7ab5a. |
3 tasks
Collaborator
|
Closing: dependabot config updated in #448 to suppress test fixture updates. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/uv/src/test/resources/tst_manifests/pip/pip_pyproject_toml_uv_ignore/requests-2.33.0
branch
ruromero
added a commit
that referenced
this pull request
Apr 30, 2026
## Summary
- Add root-level `ignore: [{dependency-name: "*"}]` for the uv ecosystem
(missed in PR #431)
- Remove redundant per-directory entries for ecosystems covered by
root-level ignore-all
- Replace `/**` glob patterns with explicit directory listings for maven
test fixtures
- Add test fixture dependabot guidance to CONVENTIONS.md
## Context
PR #431 added root-level ignore-all for npm, pip, gomod, gradle, cargo
but missed `uv`, causing Dependabot to create security PRs for
pyproject.toml files in test fixtures (#439, #440, #441). Glob patterns
are replaced with explicit paths since `/**` doesn't reliably match
nested subdirectories for security updates.
## Test plan
- [ ] Verify uv security PRs (#439, #440, #441) are closed by Dependabot
- [ ] Verify no new security PRs appear for test fixture directories
- [ ] Verify production maven dependency updates still work normally
🤖 Generated with [Claude Code](https://claude.com/claude-code)
## Summary by Sourcery
Update Dependabot configuration to correctly suppress updates for test
fixtures while preserving production maven updates, and document project
coding and Dependabot conventions.
Bug Fixes:
- Add root-level ignore-all entry for the uv ecosystem so Dependabot
does not open security PRs for uv-based test fixtures.
Enhancements:
- Simplify Dependabot configuration by relying on root-level ignore-all
entries for non-maven ecosystems and consolidating cargo configuration.
- Restrict Dependabot handling of maven test fixtures to an explicit
list of fixture directories to ensure they are not updated while keeping
production maven updates active.
CI:
- Adjust .github/dependabot.yml to correct ecosystem entries and
explicitly list maven test fixture directories for suppression.
Documentation:
- Add CONVENTIONS.md to document coding standards, dependencies, and
guidance for managing Dependabot suppression of test fixtures.
---------
Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps requests from 2.25.1 to 2.33.0.
Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
bc04dfdv2.33.066d21cbMerge commit from fork8b9bc8fMove badges to top of README (#7293)e331a28Remove unused extraction call (#7292)753fd08docs: fix FAQ grammar in httplib2 example774a0b8docs(socks): same block as other sections9c72a41Bump github/codeql-action from 4.33.0 to 4.34.1ebf7190Bump github/codeql-action from 4.32.0 to 4.33.00e4ae38docs: exclude Response.is_permanent_redirect from API docs (#7244)d568f47docs: clarify Quickstart POST example (#6960)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.