pip-compile does not use the python version from the generated file header

[mbooz-rh]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pip-compile

Package manager version

7.4.1

Language version

3.9, 3.13

Manifest location and content before the Dependabot update

/dev-requirements-py39.txt
/dev-requirements.in

dependabot.yml content

No response

Updated dependency

The following dependency is added to the python 3.9 lockfile, when it should be exluded based on python version:

• alabaster==1.0.0 ; python_version >= "3.10"

What you expected to see, versus what you actually saw

Expect dependabot to extract Python version from .txt lockfile's header and run pip-compile with that version #4216. The dev-requirements-py39.txt should exclude alabaster, as the dev-requirements.in file restricts it to python versions >= 3.10. Instead, pip-compile is run using Python3.13 for both lockfiles. This causes the package to be added, when it should be excluded from the lockfile.

Native package manager behavior

pip-compile excludes requirements from the .txt lockfiles that do not match the python version used to generate the lockfile.

python3.9 command:
bash pip-compile --generate-hashes --output-file=dev-requirements-py39.txt dev-requirements.in
python3.13 command:
bash pip-compile --generate-hashes --output-file=dev-requirements-py313.txt dev-requirements.in

Images of the diff or a link to the PR, issue, or logs

Relevant PRs:

• https://github.com/mbooz-rh/dependabot-test/pull/1/changes
• https://github.com/mbooz-rh/dependabot-test/pull/2/changes

Logs showing both manifests created with the same python version:

Smallest manifest that reproduces the issue

/dev-requirements-py39.txt
dev-requirements.in
requirements.in

[thavaahariharangit]

@mbooz-rh

Using the files you provided:

dev-requirements-py39.txt
dev-requirements.in
requirements.in

and the following Dependabot configuration: .github/dependabot.yml

version: 2
updates:
  - package-ecosystem: "pip" 
    directory: "/" 
    schedule:
      interval: "weekly"

I’m not able to reproduce the issue. The logs below show Dependabot running without any indication that Python 3.13 is being used:

I don’t see any reference to Python 3.13 in the output. Could you share more details about how you’re triggering the problem or any additional context that might help me reproduce it?

For internal ref: https://github.com/dsp-testing/pip-compile-python-version-on-header-not-respected-core-issue-14137/actions/runs/21860516679/job/63088139070

[thavaahariharangit]

@mbooz-rh

It looks like your repository includes this file:
https://github.com/mbooz-rh/dependabot-test/blob/main/dev-requirements-py313.txt

That lockfile is explicitly generated with Python 3.13, and it may be influencing the behavior you’re seeing. This could be the actual source of the issue rather than Dependabot defaulting to 3.13 on its own.

Just flagging this in case it helps narrow things down.

[thavaahariharangit]

@mbooz-rh

There are only three viable approaches,

1. Split them into separate directories (recommended + simplest)

/py39/dev-requirements.in
/py39/dev-requirements-py39.txt

/py313/dev-requirements.in
/py313/dev-requirements-py313.txt

Then configure Dependabot like this:

updates:
  - package-ecosystem: pip
    directory: "/py39"
    python-version: "3.9"
    schedule:
      interval: weekly

  - package-ecosystem: pip
    directory: "/py313"
    python-version: "3.13"
    schedule:
      interval: weekly

This is the only way to guarantee correct behavior today.

2. Use multiple Dependabot entries in the same directory (not supported)

Dependabot does not allow two pip update jobs pointing to the same directory with different Python versions.
So this option is not viable.

3. Remove the 3.13 lockfile if it’s not needed

If the 3.13 file is only for testing or experimentation, the simplest fix is:

• delete dev-requirements-py313.txt
• keep only the 3.9 lockfile

Then Dependabot will behave normally.