Is there an existing issue for this?
Package ecosystem
uv
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/zitadel/example-auth-django/blob/main/pyproject.toml
https://github.com/zitadel/example-auth-django/blob/main/uv.lock
dependabot.yml content
https://github.com/zitadel/example-auth-django/blob/main/.github/dependabot.yml
Updated dependency
Django, from 6.0.3 to 6.0.4 (5 open advisories, all unfixed).
What you expected to see, versus what you actually saw
Expected a security PR bumping django in uv.lock from 6.0.3 to 6.0.4.
Got no PR. The grouped run logs Skipping update group for 'uv-security-updates' as it does not match any allowed dependencies.
The advisory package name is Django (capital D). The uv parser PEP 503-normalises the lockfile name to django. DependencySnapshot#allowed_dependencies then does a case-sensitive Array#include? against job.dependencies, so the match fails and Django is dropped before the group update runs. job_dependencies in the same file already downcases both sides for exactly this reason, and the ungrouped security path uses that one - which is why removing the applies-to: security-updates group makes it work, and why cryptography on the same repo was updated fine.
https://github.com/dependabot/dependabot-core/blob/main/updater/lib/dependabot/dependency_snapshot.rb#L78-L84
Native package manager behavior
uv lock --upgrade-package django resolves django==6.0.4 fine.
Images of the diff or a link to the PR, issue, or logs
https://github.com/zitadel/example-auth-django/security/dependabot
Smallest manifest that reproduces the issue
No response
Is there an existing issue for this?
Package ecosystem
uv
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/zitadel/example-auth-django/blob/main/pyproject.toml
https://github.com/zitadel/example-auth-django/blob/main/uv.lock
dependabot.yml content
https://github.com/zitadel/example-auth-django/blob/main/.github/dependabot.yml
Updated dependency
Django, from 6.0.3 to 6.0.4 (5 open advisories, all unfixed).What you expected to see, versus what you actually saw
Expected a security PR bumping
djangoinuv.lockfrom 6.0.3 to 6.0.4.Got no PR. The grouped run logs
Skipping update group for 'uv-security-updates' as it does not match any allowed dependencies.The advisory package name is
Django(capital D). The uv parser PEP 503-normalises the lockfile name todjango.DependencySnapshot#allowed_dependenciesthen does a case-sensitiveArray#include?againstjob.dependencies, so the match fails and Django is dropped before the group update runs.job_dependenciesin the same file already downcases both sides for exactly this reason, and the ungrouped security path uses that one - which is why removing theapplies-to: security-updatesgroup makes it work, and whycryptographyon the same repo was updated fine.https://github.com/dependabot/dependabot-core/blob/main/updater/lib/dependabot/dependency_snapshot.rb#L78-L84
Native package manager behavior
uv lock --upgrade-package djangoresolvesdjango==6.0.4fine.Images of the diff or a link to the PR, issue, or logs
https://github.com/zitadel/example-auth-django/security/dependabot
Smallest manifest that reproduces the issue
No response