Skip to content

Fix: Scope registry URL resolution to per-requirements file #13947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix: Scope registry URL resolution to per-requirements file #13947

Copilot wants to merge 2 commits into from
+114 −1

Conversation

Copy link
Contributor

Copilot AI commented Jan 15, 2026
edited
Loading

What are you trying to accomplish?

Dependabot was resolving package versions globally across all requirements files, ignoring per-file --extra-index-url directives. When requirements_cpu.txt specified PyTorch's CPU index and requirements_gpu.txt specified the CUDA index, Dependabot would query both indexes, pick the highest version (e.g., 2.9.1+cu126), and apply it to both files—breaking the CPU build.

This change scopes registry URL collection to only the requirements files where each dependency actually appears.

Core change: PackageRegistryFinder#requirements_files now filters based on dependency.requirements instead of returning all requirements files.

# Before: returned all requirements files
def requirements_files
  dependency_files.select { |f| f.name.match?(/requirements/x) }
end

# After: returns only files where this dependency appears
def requirements_files
  requirement_file_names = dependency.requirements
                                     .map { |r| r[:file] }
                                     .select { |f| f.match?(/requirements/x) }
  
  return dependency_files.select { |f| f.name.match?(/requirements/x) } if requirement_file_names.empty?
  
  dependency_files.select { |f| requirement_file_names.include?(f.name) }
end

Anything you want to highlight for special attention from reviewers?

Backward compatibility is maintained for subdependencies (no requirements) by falling back to all requirements files when requirement_file_names is empty.

How will you know you've accomplished your goal?

Added test cases covering:

  • Dependency in requirements_cpu.txt only → uses CPU index exclusively
  • Dependency in requirements_gpu.txt only → uses GPU index exclusively
  • Dependency in both files → uses both indexes (multi-file dependency scenario)

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.
Original prompt

This section details on the original issue you should resolve

<issue_title>Dependabot computes and applies updates globally instead of per requirements.txt file</issue_title>
<issue_description>### Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

pip

Package manager version

Not applicable, but pip 25.3

Language version

Python 3.10

Manifest location and content before the Dependabot update

/requirements_cpu.txt

--extra-index-url https://download.pytorch.org/whl/cpu
torch==2.9.1+cpu

/requirements_gpu.txt

--extra-index-url https://download.pytorch.org/whl/cu126
torch==2.9.1+cu126

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      github-actions:
        patterns:
          - "*"
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      python:
        patterns:
          - "*"

Updated dependency

/requirements_cpu.txt

--extra-index-url https://download.pytorch.org/whl/cpu
torch==2.9.1+cu126

/requirements_gpu.txt

--extra-index-url https://download.pytorch.org/whl/cu126
torch==2.9.1+cu126

What you expected to see, versus what you actually saw

I expect no change, these were the latest versions already.

/requirements_cpu.txt

--extra-index-url https://download.pytorch.org/whl/cpu
torch==2.9.1+cpu

/requirements_gpu.txt

--extra-index-url https://download.pytorch.org/whl/cu126
torch==2.9.1+cu126

In particular, this breaks:

--extra-index-url https://download.pytorch.org/whl/cpu
torch==2.9.1+cu126

This index https://download.pytorch.org/whl/cpu does not contain 2.9.1+cu126, it contains 2.9.1+cpu.

Native package manager behavior

The --extra-index-url affects the whole requirements file, but each requirements file is separate.

https://pip.pypa.io/en/stable/cli/pip_install/#install-extra-index-url

Images of the diff or a link to the PR, issue, or logs

Excerpt from the logs:

updater | 2026/01/05 17:30:07 INFO <job_1199538694> Checking if torch 2.9.1+cpu needs updating
updater | 2026/01/05 17:30:07 INFO <job_1199538694> Fetching release information from json registry at https://pypi.org/pypi/ for torch
  proxy | 2026/01/05 17:30:07 [083] GET https://pypi.org/pypi/torch/json
  proxy | 2026/01/05 17:30:07 [083] 200 https://pypi.org/pypi/torch/json
updater | 2026/01/05 17:30:07 INFO <job_1199538694> Fetching release information from json registry at https://download.pytorch.org/whl/cpu/ for torch
  proxy | 2026/01/05 17:30:07 [085] GET https://download.pytorch.org/whl/cpu/torch/json
  proxy | 2026/01/05 17:30:07 [085] 403 https://download.pytorch.org/whl/cpu/torch/json
updater | 2026/01/05 17:30:07 WARN <job_1199538694> No valid versions found via JSON API. Falling back to HTML.
2026/01/05 17:30:07 INFO <job_1199538694> Fetching release information from html registry at https://download.pytorch.org/whl/cpu/ for torch
  proxy | 2026/01/05 17:30:07 [087] GET https://download.pytorch.org/whl/cpu/torch/
  proxy | 2026/01/05 17:30:07 [087] 200 https://download.pytorch.org/whl/cpu/torch/
updater | 2026/01/05 17:30:08 INFO <job_1199538694> Fetching release information from json registry at https://download.pytorch.org/whl/cu126/ for torch
  proxy | 2026/01/05 17:30:08 [089] GET https://download.pytorch.org/whl/cu126/torch/json
  proxy | 2026/01/05 17:30:08 [089] 403 https://download.pytorch.org/whl/cu126/torch/json
updater | 2026/01/05 17:30:08 WARN <job_1199538694> No valid versions found via JSON API. Falling back to HTML.
2026/01/05 17:30:08 INFO <job_1199538694> Fetching release information from html registry at https://download.pytorch.org/whl/cu126/ for torch
  proxy | 2026/01/05 17:30:08 [091] GET https://download.pytorch.org/whl/cu126/torch/
  proxy | 2026/01/05 17:30:08 [091] 200 https://download.pytorch.org/whl/cu126/torch/
updater | 2026/01/05 17:30:08 INFO <job_1199538694> Latest version is 2.9.1+cu126

Actual PR: keras-team/keras#21983

Full log: https://github.com/keras-team/keras/actions/runs/20723600023/job/59493606324

The logs show that dependabot resolves the latest version of torch globally by looking at both https://download.pytorch.org/whl/cpu and https://download.pytorch.org/whl/cu126 and combining the versions found. Because cu126 > cpu is infers that 2.9.1+cu126 is the latest version and applies that to both requirement files.

However, the correct behavior is:

  • within the scope of requirements_cpu.txt, resolve the latest torch version from https://download.pytorch.org/whl/cpu, which is 2.9.1+cpu, and apply that to requirements_cpu.txt only
  • within the scope of requirements_gpu.txt, resolve the latest torch version from https://download.pytorch.org/whl/cu126, whi...

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@a-schur
Fix: Scope registry URL resolution to per-requirements-file
ff92a32 
Filter requirement files in PackageRegistryFinder to only include files where the
dependency appears, preventing global version resolution across all requirements files.

This fixes the issue where dependencies with different --extra-index-url settings
in separate requirements files would incorrectly receive the same "latest" version
determined globally rather than per-file.

Co-authored-by: a-schur <[email protected]>
Copilot AI changed the title [WIP] Fix Dependabot to compute updates per requirements.txt file Fix: Scope registry URL resolution to per-requirements file Jan 15, 2026
Copilot AI requested a review from a-schur January 15, 2026 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-schur a-schur Awaiting requested review from a-schur

At least 1 approving review is required to merge this pull request.

Assignees

Copilot code review Copilot

@a-schur a-schur

Labels

L: python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependabot computes and applies updates globally instead of per requirements.txt file

2 participants

@a-schur