Dependabot's security update job is failing on master for pytest:
I checked the root cause against current master (b32338d3):
- Root
pyproject.toml declares python = "^3.9".
pytest 9.0.3 declares requires_python = ">=3.10" on PyPI.
- The release workflow still builds ActivityWatch artifacts with
python_version: [3.9].
ActivityWatch/activitywatch#1321 already raised the floor from 3.8 to 3.9 and explicitly noted that the pytest security update remained unresolved after that.
So this is not a flaky Actions failure and not something Dependabot can solve while the repo still advertises Python 3.9 support.
Likely choices:
- Move the project/release build floor to Python 3.10+ and refresh the Poetry lock so pytest can resolve to 9.x.
- Keep Python 3.9 for now and explicitly ignore or accept this dev-dependency Dependabot alert until the Python floor moves.
I did not open a PR because option 1 is a release/support-policy change, and option 2 is a security-policy choice. The monitoring fix here is to track the decision instead of silently letting the same Dependabot job keep failing.
Refs:
Dependabot's security update job is failing on
masterforpytest:pip in /. for pytest - Update #1444291176security_update_not_possiblepytestis8.4.2, while the security advisory wants9.0.3.I checked the root cause against current
master(b32338d3):pyproject.tomldeclarespython = "^3.9".pytest 9.0.3declaresrequires_python = ">=3.10"on PyPI.python_version: [3.9].ActivityWatch/activitywatch#1321already raised the floor from 3.8 to 3.9 and explicitly noted that the pytest security update remained unresolved after that.So this is not a flaky Actions failure and not something Dependabot can solve while the repo still advertises Python 3.9 support.
Likely choices:
I did not open a PR because option 1 is a release/support-policy change, and option 2 is a security-policy choice. The monitoring fix here is to track the decision instead of silently letting the same Dependabot job keep failing.
Refs:
ignorecan apply to version and security updates: https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#ignoring-specific-dependencies