After migrating a project to uv, I noticed Dependabot PRs were still being created but CI was failing. Dependabot was updating pyproject.toml but not regenerating uv.lock, so the lockfile was out of sync. Here’s how I got it working.
Basic setup Link to heading
Create .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
groups:
python-packages:
patterns:
- "*"
The groups section batches updates into single PRs - much better than 20 individual PRs.
My grouping strategy Link to heading
I typically group by risk level:
groups:
# Low risk - merge without much review
minor-and-patch:
patterns:
- "*"
update-types:
- "minor"
- "patch"
# Higher risk - review more carefully
major:
patterns:
- "*"
update-types:
- "major"
This gives me one PR for minor updates (usually safe to merge) and separate PRs for major version bumps (need changelog review).
Regenerating uv.lock Link to heading
For uv specifically, Dependabot reads pyproject.toml but doesn’t update uv.lock. Add this to your CI:
- name: Update lockfile
run: |
uv lock
git diff --exit-code uv.lock || echo "::warning::uv.lock needs updating"
Reviewing Dependabot PRs Link to heading
My process:
- Check CI passes (obvious)
- Skim the changelog for breaking changes
- For major updates: read migration guides
- Merge minor/patch updates quickly, don’t let them pile up
Other options Link to heading
Ignore certain packages:
ignore:
- dependency-name: "some-package"
update-types: ["version-update:semver-major"]
Open PRs against a specific branch:
target-branch: "develop"
Limit open PRs:
open-pull-requests-limit: 5
Further reading Link to heading
- Dependabot configuration options - all available settings
- Running scripts with uv - uv basics and tools
- uv documentation - comprehensive guide