Most of the configuration is done in the
.pyup.yml config file. If you are looking for configuration on a per dependency basis, take a look at filter.
To change the default configuration, create a new file called
.pyup.yml (note the
.) in the root directory of your repository.
# configure updates globally # default: all # allowed: all, insecure, False update: all # configure dependency pinning globally # default: True # allowed: True, False pin: True # set the default branch # default: empty, the default branch on GitHub branch: dev # update schedule # default: empty # allowed: "every day", "every week", .. schedule: "every day" # search for requirement files # default: True # allowed: True, False search: True # Specify requirement files by hand, default is empty # default: empty # allowed: list requirements: - requirements/staging.txt: # update all dependencies and pin them update: all pin: True - requirements/dev.txt: # don't update dependencies, use global 'pin' default update: False - requirements/prod.txt: # update insecure only, pin all update: insecure pin: True # add a label to pull requests, default is not set # requires private repo permissions, even on public repos # default: empty label_prs: update # assign users to pull requests, default is not set # requires private repo permissions, even on public repos # default: empty assignees: - carl - carlsen # configure the branch prefix the bot is using # default: pyup- branch_prefix: pyup/ # set a global prefix for PRs # default: empty pr_prefix: "Bug #12345" # allow to close stale PRs # default: True close_prs: True
The bots default setting is to update all dependencies as soon as there's a new release available.
There are quite a few use cases and workflows where this is not the desired behavior.
Maybe you have a large legacy codebase and you are only interested in security fixes, or If
you are working on a library you maybe don't even care about automated updates and just want to
have a nice UI for your dependencies. This is what the
update directive is for.
To control what the bot updates on a global level, set the
If you just want to receive security updates:
Or, if you don't want to receive any updates at all:
If you want to control this on a per file basis, please take a look at specifying files.
The bot uses GitHub's default branch to open new pull requests (usually
to change the default branch, add the following line to your config file:
This will tell the bot to use the
dev branch from now on.
By default, the bot will open a Pull Request as soon as there's an update for one of your dependencies available. If this creates too much noise, you can tell the bot to hold back updates and bundle them in a single Pull Request on a daily, weekly, biweekly or monthly basis.
Additionally, for weekly and biweekly updates, you can pick a weekday.
schedule: "every day"
schedule: "every week" schedule: "every week on thursday"
schedule: "every two weeks" schedule: "every two weeks on monday"
schedule: "every month"
The bot pins dependencies without version specifiers to the latest version by default. This
means that unpinned dependencies like
This makes your build predictable and deterministic across environments and is good for end products.
If you don't want the bot to pin your dependencies without version specifiers, add the following to your config file.
You can also control this on a per file basis, check out specify files.
By default, the bot will search the repository for requirement files to use. The search
function is fairly simple.
It looks for
.pip files with
the file path.
This will match the most common locations like:
- requirements.txt - requirements/local.txt - requirements/dev.txt
If you want to disable the search function, add the following to your config file.
To get more fine-grained control about what requirement files are being picked up by the bot, look at specify files.
Adding requirement files manually allows you to add files the bot might not find on its own
and to get fine grained control over the
If you want to point the bot to a requirement file, simply add it to the
requirements list in
your config file:
requirements: - foo/req.txt
This will pick up the requirement file in
To set the
update directive per file:
requirements: - requirements/staging.txt: update: all - requirements/dev.txt: update: False - requirements/prod.txt: update: insecure
This will tell the bot to send pull requests for all updates in
security updates for
production.txt and to send no pull requests from
It's also possible to set the
pin directive per file:
requirements: - requirements.txt - requirements_dev.txt: pin: False
This configuration will pin
requirements.txt, but not
*Please note: The bot needs the private repo scope to create the label. Even on public repos.*
The bot can label pull requests it creates automatically.
To enable it, add the following to your config file
*Please note: The bot needs the private repo scope in order to assign people to pull requests. Even on public repos.*
The bot can automatically assign people to pull requests it creates.
To enable it, add the following to your config file
If you want the bot to assign multiple people:
assignees: - carl - carlsen
Change the default branch prefix
By default, the bot uses
pyup- as a prefix for all branches it creates.
This can be changed by setting the
branch_prefix in your config
Close stale PRs
The bot will close stale pull requests by default.
A stale pull request is an open pull request that has been superseded by a new one.
- There is an open pull request to pin requests to
- The requests package maintainers issue a new release
- The bot will create a new pull request to pin requests to
requests==1.4. The old (stale) pull request is closed and the bot will link to the new pull requests.
To disable it, add the following to your config file:
If you have additional questions, please don't hesitate to contact firstname.lastname@example.org.