Is there an existing issue for this?
Package ecosystem
uv
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
version: 2
registries:
private-registry:
type: python-index
** SECRET **
updates:
- package-ecosystem: "uv"
directory: "/"
versioning-strategy: lockfile-only
schedule:
interval: "daily"
groups:
uv-development:
dependency-type: development
uv-production:
dependency-type: production
registries:
- private-registry
commit-message:
prefix: "[BUILD] dependabot:"
Updated dependency
No response
What you expected to see, versus what you actually saw
Note: It happens for all packages and repos since a couple of days.
What do I see?
A new CVE is issued; dependabot tries to find an update and then errors with:
Dependabot cannot update langchain-openai to a non-vulnerable version
The latest possible version of langchain-openai that can be installed is 1.1.14.
The earliest fixed version is 1.1.14.
In the log it shown like this:
+-----------------------------------------------------------------------------+
| Errors |
+------------------------------+----------------------------------------------+
| Type | Details |
+------------------------------+----------------------------------------------+
| security_update_not_possible | { |
| | "dependency-name": "langchain-openai", |
| | "latest-resolvable-version": "1.1.14", |
| | "lowest-non-vulnerable-version": "1.1.14", |
| | "conflicting-dependencies": [] |
| | } |
+------------------------------+----------------------------------------------+
What do I expect?
Since the earliest fixed version is 1.1.14 and this version is indeed available and resolvable, it should create a PR.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
Is there an existing issue for this?
Package ecosystem
uv
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
version: 2
registries:
private-registry:
type: python-index
** SECRET **
updates:
directory: "/"
versioning-strategy: lockfile-only
schedule:
interval: "daily"
groups:
uv-development:
dependency-type: development
uv-production:
dependency-type: production
registries:
commit-message:
prefix: "[BUILD] dependabot:"
Updated dependency
No response
What you expected to see, versus what you actually saw
Note: It happens for all packages and repos since a couple of days.
What do I see?
A new CVE is issued;
dependabottries to find an update and then errors with:In the log it shown like this:
What do I expect?
Since the earliest fixed version is
1.1.14and this version is indeed available and resolvable, it should create a PR.Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response