Is there an existing issue for this?
Feature description
Allow versioning-strategy: widen to be specified explicitly in dependabot.yml for the uv and pip ecosystems.
Current behavior
The dependabot.yml schema validation rejects widen for uv and pip:
The property '#/updates/N/versioning-strategy' value "widen" did not match one of the following values:
lockfile-only, auto, increase, increase-if-necessary
widen IS already exposed for other ecosystems (e.g. bundler, npm, composer), so the inconsistency is specific to uv and pip.
Internal implementation already exists
The widen_ranges strategy is implemented in dependabot-core for both ecosystems:
uv/lib/dependabot/uv/update_checker/requirements_updater.rb (covered by widen_ranges specs)python/lib/dependabot/python/update_checker/requirements_updater.rb (same)
It is reachable today only through versioning-strategy: auto, which resolves to widen_ranges when the project is detected as a library. Users have no way to opt into widen behavior explicitly.
Why explicit widen matters
- Parity with other ecosystems.
widen is part of the documented strategy set; users reasonably expect it to be available across ecosystems where the underlying strategy is implemented.
- Explicit configuration over heuristic detection.
auto relies on library? to decide between widen_ranges and bump_versions. Library detection (library? in uv/lib/dependabot/uv/update_checker.rb and the equivalent in python/lib/dependabot/python/update_checker.rb) compares the local package name and description against PyPI. This works for most public packages, but is opaque, can misclassify, and fails entirely when:
- The package is not published to PyPI (private / internal libraries, monorepo SDKs).
- PyPI is temporarily unreachable.
- Local and PyPI summary metadata diverge.
- Predictability for library authors. A maintainer of a library wants
widen regardless of whether auto's heuristics happen to classify the project correctly. Explicit configuration removes that fragility.
Proposed change
Add widen to the list of accepted versioning-strategy values for uv and pip in the dependabot.yml schema validation (the schema enforced by dependabot-api.githubapp.com).
No change to the underlying widen_ranges implementation is required.
Related
Thank you for considering this.
Is there an existing issue for this?
Feature description
Allow
versioning-strategy: widento be specified explicitly independabot.ymlfor theuvandpipecosystems.Current behavior
The
dependabot.ymlschema validation rejectswidenforuvandpip:widenIS already exposed for other ecosystems (e.g.bundler,npm,composer), so the inconsistency is specific touvandpip.Internal implementation already exists
The
widen_rangesstrategy is implemented in dependabot-core for both ecosystems:uv/lib/dependabot/uv/update_checker/requirements_updater.rb(covered bywiden_rangesspecs)python/lib/dependabot/python/update_checker/requirements_updater.rb(same)It is reachable today only through
versioning-strategy: auto, which resolves towiden_rangeswhen the project is detected as a library. Users have no way to opt into widen behavior explicitly.Why explicit
widenmatterswidenis part of the documented strategy set; users reasonably expect it to be available across ecosystems where the underlying strategy is implemented.autorelies onlibrary?to decide betweenwiden_rangesandbump_versions. Library detection (library?inuv/lib/dependabot/uv/update_checker.rband the equivalent inpython/lib/dependabot/python/update_checker.rb) compares the local package name and description against PyPI. This works for most public packages, but is opaque, can misclassify, and fails entirely when:widenregardless of whetherauto's heuristics happen to classify the project correctly. Explicit configuration removes that fragility.Proposed change
Add
widento the list of acceptedversioning-strategyvalues foruvandpipin thedependabot.ymlschema validation (the schema enforced bydependabot-api.githubapp.com).No change to the underlying
widen_rangesimplementation is required.Related
versioning-strategyhas changed #14702 — show thatwiden_rangesis the intended behavior for python libraries viaauto, but is gated on PyPI-based library detection.Thank you for considering this.