Support requirements[-dev].lock used by rye

[tmke8]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Rye uses pip-compile to create the lock files requirements.lock and requirements-dev.lock. These lock files have the same format as a requirements.txt file (with some additional comments).

Adding support for these should be as simple as enabling requirements.lock as an alternative name for requirements.txt.

[evanbernstein]

I too would love to know about the status of this. I'd love to use rye instead of pip or pipenv but Dependabot not working is a big problem.

[vladjohnson]

Would really appreciate resolution of this issue!

[daveisfera]

Would love to see this supported as well, because currently the upgrade process ignores requirements.lock files and only upgrades requirements.txt files.

To add details, we define our direct dependencies in requirements.txt and then use pip-compile to generate requirements.lock which we use to actually install them. This allows us to have a simple specification of what we directly use that can be easily reviewed and used by existing tools, while having specific/detailed versions locked down for the packages that we're using.

It provides a nice use case like package.json and yarn.lock or package-lock.json from node and means that existing tools can work on the simpler version of requirements.txt (and also conveniently works around a bug with PyCharm and the other IntelliJ IDEs)

[daveisfera]

Wanted to follow up that pip-tools views the PyCharm/IntelliJ bug as a security issue and highly recommends using .in with .txt and that using a .lock is only creating another set of problems, so I'd recommend that dependabot stick with it's current support

[webknjaz]

@daveisfera FYI Dependabot recognizes .in + .txt pairs out of the box. It's not very prominently documented, but it's been supported for as long as I can remember. Probably way before GH acquired Dependabot.

[webknjaz]

As for supporting proper lock files, it's best to target supporting https://peps.python.org/pep-0751/ eventually.

[evanbernstein]

As for supporting proper lock files, it's best to target supporting https://peps.python.org/pep-0751/ eventually.

Someone else has filed support for https://peps.python.org/pep-0735/ in #10847

[webknjaz]

@evanbernstein that's good. Dependency groups are great. However, they are orthogonal to lock files.

[FabianClemenz]

Does anyone have a workaround for this? Maybe generating plain requirements.txt to get Dependabot working?

I'm currently using Rye and will only switch to UV if the switch by astral-sh is done

[vladjohnson]

@FabianClemenz probably better to switch to uv

[evanbernstein]

Does uv have support from Dependabot? I'll consider switching if it does.

[tmke8]

There is a PR for it: #10040, but it seems to have stalled.

[webknjaz]

In my experience, contributing to GitHub-owned repos may take many months for things to get reviewed. Closer to a year, sometimes.

[FabianClemenz]

@vladjohnson dependabot does not support uv - so why is switching better?

[FabianClemenz]

I created a simple custom workflow to help us until rye or uv is fully supported:

https://github.com/devsuit-berlin/rye-update-bot