From c376cdd2eeb448bdce39e058385f5f1bcc43701b Mon Sep 17 00:00:00 2001
From: Olivier 'reivilibre <oliverw@element.io>
Date: Wed, 29 Apr 2026 17:17:53 +0000
Subject: [PATCH] Configure Dependabot to only update Python dependencies in
 the lockfile. (#19743)

See:
- https://github.com/element-hq/synapse/pull/19742
- https://github.com/element-hq/synapse/pull/19686

(etc)

Documentation
https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#versioning-strategy--

We were considering `lockfile-only` but it sounds like
`increase-if-necessary` would increase the upper bound for us, if we had
one. Let's try it.

---------

Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
---
 .github/dependabot.yml | 1 +
 changelog.d/19743.misc | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 changelog.d/19743.misc

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 38920ead7a..dc5bcaed14 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,7 @@ updates:
     package-ecosystem: "pip"
     directory: "/"
     open-pull-requests-limit: 10
+    versioning-strategy: "increase-if-necessary"
     schedule:
       interval: "weekly"
     # Group patch updates to packages together into a single PR, as they rarely
diff --git a/changelog.d/19743.misc b/changelog.d/19743.misc
new file mode 100644
index 0000000000..35c4841386
--- /dev/null
+++ b/changelog.d/19743.misc
@@ -0,0 +1 @@
+Configure Dependabot to only update Python dependencies in the lockfile, unless widening upper bounds.