What you expected to see, versus what you actually saw
When regular dependabot updates come in, they appear to run pip-compile from the root of the repo.
When dependabot is running a security update, it appears that pip-compile is being run in the requirements/ subdirectory, removing the path prefixes from the resulting txt file, adding to merge conflicts and line churn.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Is there an existing issue for this?
Package ecosystem
pip
Package manager version
No response
Language version
Python 3.11
Manifest location and content before the Dependabot update
pypi/warehouse@
ccabe51
(#15760)dependabot.yml content
https://github.com/pypi/warehouse/blob/ba4e38c298a9d807044db563bd9385caa6017f56/.github/dependabot.yml
Updated dependency
idna from 3.6 to 3.7
What you expected to see, versus what you actually saw
When regular dependabot updates come in, they appear to run
pip-compile
from the root of the repo.When dependabot is running a security update, it appears that
pip-compile
is being run in therequirements/
subdirectory, removing the path prefixes from the resulting txt file, adding to merge conflicts and line churn.Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
dependabot's security update: pypi/warehouse@
ccabe51
(#15760) action taken to restore paths: pypi/warehouse@d99e287
(#15760)Smallest manifest that reproduces the issue
No response