ci: ignore aiohttp in Dependabot (unsolvable downstream)

rustyconover · claude · rustyconover · commit b8e20e36f135 · 2026-06-18T10:01:34.000-04:00
The security updater fails every run trying to bump aiohttp for its CVEs:
vgi-rpc[external] caps aiohttp &lt;3.14 but the fixes are only in &gt;=3.14, so
the resolution is unsatisfiable. Ignore aiohttp here to stop the recurring
"Dependabot Updates" failure; the alerts remain visible. Lifting the cap
upstream in vgi-rpc-python is the actual fix.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -19,6 +19,14 @@ updates:
         update-types:
           - "minor"
           - "patch"
+    ignore:
+      # aiohttp is transitive via vgi-rpc[external], which caps it at <3.14.
+      # The aiohttp CVE fixes only exist in >=3.14, so no bump is resolvable
+      # from this repo — the security updater errors out every run with
+      # "requirements are unsatisfiable". Ignore it here so Dependabot stops
+      # failing on an impossible update; the alerts stay visible in the
+      # security tab. The real fix is lifting the cap upstream in vgi-rpc.
+      - dependency-name: "aiohttp"
 
   # GitHub Actions used by the workflows in .github/workflows/.
   - package-ecosystem: "github-actions"
