This is an automated email from the ASF dual-hosted git repository.

rusackas pushed a commit to branch ci/dependabot-pip-versioning-strategy
in repository https://gitbox.apache.org/repos/asf/superset.git

commit 24909ac6ead198578f4c810e5c2216e0aa60126a
Author: Claude Code <[email protected]>
AuthorDate: Wed May 20 15:58:12 2026 -0700

    ci(deps): bump lower bound on pip dependabot PRs (versioning-strategy: 
increase)
    
    Follow-up to @villebro's review on #40186. Dependabot's default
    behavior for the pip ecosystem is to only *widen the upper bound* of
    constraints in `pyproject.toml`, leaving the lower bound at the
    old version forever. Over time the lower bound becomes meaningless
    because no installed environment ever resolves that low.
    
    Setting `versioning-strategy: increase` makes dependabot bump both
    sides of the range to the new version, e.g.
    `sqlglot>=28.10.0, <29` → `sqlglot>=30.8.0, <31` in one PR.
    
    Lockfile regeneration (`./scripts/uv-pip-compile.sh`) still needs a
    human or a separate hook — dependabot for pip doesn't auto-run uv —
    but the pyproject.toml side is now consistent with what's intended.
    
    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
---
 .github/dependabot.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5560dc56af6..590c64f29d9 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -62,6 +62,11 @@ updates:
   - package-ecosystem: "pip"
     directory: "/"
     open-pull-requests-limit: 10
+    # Bump the lower bound to the new version, not just widen the upper
+    # bound. Without this, a `sqlglot>=28.10.0, <29` constraint upgraded
+    # to `<30` would keep the stale lower bound forever, dragging
+    # transitively-resolved versions with it. See #40186 (review thread).
+    versioning-strategy: increase
     schedule:
       interval: "weekly"
     labels:

Reply via email to