Files included relatively in `requirements.in` file gets converted to absolute paths because of pip 25 upgrade

[alexwlchan]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Python

Package manager version

uv 0.6.2 (6d3614eec 2025-02-19)

Language version

Python 3.13.1

Manifest location and content before the Dependabot update

I have a minimal example repo which demonstrates this issue: https://github.com/alexwlchan/dependabot-testing-2025-07-15/tree/main

• requirements.in:

  authlib
  

• dev_requirements.in

  -r requirements.in
  
  ruff
  

  (I should have written -r requirements.txt, but this line is relevant to this issue.)

• requirements.txt:

  # This file was autogenerated by uv via the following command:
  #    uv pip compile requirements.in --output-file requirements.txt
  authlib==1.5.2
      # via -r requirements.in
  cffi==1.17.1
      # via cryptography
  cryptography==45.0.5
      # via authlib
  pycparser==2.22
      # via cffi
  

• dev_requirements.txt:

  # This file was autogenerated by uv via the following command:
  #    uv pip compile dev_requirements.in --output-file dev_requirements.txt
  authlib==1.5.2
      # via -r requirements.in
  cffi==1.17.1
      # via cryptography
  cryptography==44.0.2
      # via authlib
  pycparser==2.22
      # via cffi
  ruff==0.12.1
      # via -r dev_requirements.in
  

dependabot.yml content

https://github.com/alexwlchan/dependabot-testing-2025-07-15/blob/main/.github/dependabot.yml

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

alexwlchan/dependabot-testing-2025-07-15#2

"Bumps ruff from 0.12.1 to 0.12.3."

What you expected to see, versus what you actually saw

The version number for ruff is updated, but nothing else.

This is the diff I'd expect:

 # This file was autogenerated by uv via the following command:
 #    uv pip compile dev_requirements.in --output-file dev_requirements.txt
 authlib==1.5.2
     # via -r requirements.in
 cffi==1.17.1
     # via cryptography
 cryptography==44.0.2
     # via authlib
 pycparser==2.22
     # via cffi
-ruff==0.12.1
+ruff==0.12.3
     # via -r dev_requirements.in

This is the diff I got:

 # This file was autogenerated by uv via the following command:
 #    uv pip compile dev_requirements.in --output-file dev_requirements.txt
 authlib==1.5.2
-    # via -r requirements.in
+    # via -r /home/dependabot/dependabot-updater/tmp/20250715-1355-wc4z3p/dependabot_20250715-1355-lk2w08/requirements.in
 cffi==1.17.1
     # via cryptography
 cryptography==44.0.2
     # via authlib
 pycparser==2.22
     # via cffi
-ruff==0.12.1
+ruff==0.12.3
     # via -r dev_requirements.in

Native package manager behavior

This looks like a weird interaction between pip-tools and pip – I see the same behaviour when using pip-tools locally (more notes below).

Images of the diff or a link to the PR, issue, or logs

Link to the relevant PR: alexwlchan/dependabot-testing-2025-07-15#2

Smallest manifest that reproduces the issue

Link to a minimal reproduction repo: https://github.com/alexwlchan/dependabot-testing-2025-07-15

[alexwlchan]

This worked in my Dependabot PRs yesterday, and the only commit that changed the Python-related Dependabot code yesterday was 6e4774b, which updated pip from 24.0 to 25.0.1.

I did some investigation, and it looks like this is actually an interaction between pip-tools and pip ≥24.3, which is tracked (and fixed) in upstream issue jazzband/pip-tools#2131

There's a fix in the pip-tools repo (jazzband/pip-tools#2195) but not in a released version yet. For now, the suggested fix seems to be pinning to a version of pip less than 24.3.

Here's a quick repro:

$ # Create a virtualenv
$ python3 -m venv .venv
$ source .venv/bin/activate

$ cat requirements.in
authlib

$ cat dev_requirements.in
-r requirements.in
ruff

$ pip install pip-tools==7.4.1

$ pip install pip==24
$ pip-compile dev_requirements.in
WARNING: --strip-extras is becoming the default in version 8.0.0. To silence this warning, either use --strip-extras to opt into the new default or use --no-strip-extras to retain the existing behavior.
#
# This file is autogenerated by pip-compile with Python 3.13
# by the following command:
#
#    pip-compile dev_requirements.in
#
authlib==1.6.0
    # via -r requirements.in
cffi==1.17.1
    # via cryptography
cryptography==45.0.5
    # via authlib
pycparser==2.22
    # via cffi
ruff==0.12.3
    # via -r dev_requirements.in

$ pip install pip==25
$ pip-compile dev_requirements.in
WARNING: --strip-extras is becoming the default in version 8.0.0. To silence this warning, either use --strip-extras to opt into the new default or use --no-strip-extras to retain the existing behavior.
#
# This file is autogenerated by pip-compile with Python 3.13
# by the following command:
#
#    pip-compile dev_requirements.in
#
authlib==1.6.0
    # via -r /private/var/folders/lp/1yl_g9ls2_g3l2tkmb6fpg0h0000gn/T/tmp.uViWYT0WuC/requirements.in
cffi==1.17.1
    # via cryptography
cryptography==45.0.5
    # via authlib
pycparser==2.22
    # via cffi
ruff==0.12.3
    # via -r dev_requirements.in

[sachin-sandhu]

@alexwlchan,

thanks for the digging down the issue and solution, ill make adjustments accordingly.

[sachin-sandhu]

@alexwlchan,
we have downgraded pip to 24.2 for now, Please let us know if you have any issues