Can I limit dependabot to only open PRs when items in requirements txt have related CVE?

[YesThatAllen]

Select Topic Area

Question

Body

I've got dependabot configured in a private repo, where it's scanning our requirements txt file and generating PRs for outdated modules.

fwiw, the file isn't named requirements.txt rather, pip-reqs.txt but dependabot didn't have a problem finding it so long as we included directory: "/Resources/Python-framework-tool".

The issue we face is that there are 100+ pyobjc-* modules which are out of date from the current v10 which most have.

The PRs to bump pyobjc-[whichver] don't reference any CVE.. they feel like suggestions to update for the sake of updating.

I suppose I can ignore those and maybe dependabot will eventually get to some modules which have related CVE, but I wonder.. can I make an adjustment our current file which would say "only create an alert if the upgrade would fix a known vulnerability?

version: 2
updates:
  - package-ecosystem: "pip" # See documentation for possible values
    directory: "/Resources/Python-framework-tool" # Location of package manifests
    schedule:
      interval: "weekly"

[YesThatAllen]

It seems that the issue is the unconventional name for the requirements file.

Renaming it to requirements.txt allowed the behavior I was looking for (after disabling the scanning), I guess it's just an oddity that the version scanning did NOT needs the file named requirements.txt