Python: Support inline script metadata (PEP 723)

[woodruffw]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Hello Dependabot maintainers! Thank you for creating Dependabot, it's a fantastic tool.

This is similar to #10478, but not the same: #10478 concerns uv and uv.lock specifically, while this is about inline script metadata, which is not specific to uv and involves individual Python source files, not uv.lock files.

TL;DR: Inline script metadata is a Python packaging standard that specifies an inline metadata format for Python scripts, which appears as a contiguous preamble comment at the head of a Python file (after the shebang). For example:

# /// script
# requires-python = ">=3.13"
# dependencies = [
#     "pre-commit==4.2.0",
#     "pytz==2025.2",
#     "requests==2.32.3",
#     "requests-cache==1.2.1",
# ]
# ///

This preamble comment is formatted as TOML and contains much of the same information as a pyproject.toml would, which Dependabot already supports. In particular, it supports a dependencies key that behaves the same as in pyproject.toml, and as exemplified above.

I would like Dependabot to support this preamble (detect /// script and /// as delimiters) for version updating purposes! Doing so should be able to reuse most of the existing pyproject.toml machinery; the main change is probably a small amount of pre- and post-processing to mold the dependency changes back into the comment preamble format.

Supporting this would be a huge boon for the Python ecosystem, which has increasingly come to rely on inline script metadata as a replacement for "sidecar" requirements.txt files.

Additional resources:

• PEP 723 (original standardization PEP)
• Inline script metadata spec (living version of PEP 723)
• uv - inline script dependencies

[zanieb]

As a minor note, uv does support lockfiles for PEP 723 scripts (which would also need to be updated when using uv).

[potiuk]

I agree it would be useful. We have just migrated airflow to prek from pre-commit and switched all (65) of our prek hools to inline the dependencies in airflow apache/airflow#54917 after prek 0.1.3 supports them.

It would be great to. have dependabot could update those inline scripts dependencies.

[woodruffw]

For others hitting this: I believe this is still an issue, including (unfortunately) with uv's script lockfile support: uv will correctly produce a <script>.lock file, but Dependabot appears to fail to discover it:

Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+-----------------------------------------------------------------+
|                             Errors                              |
+---------------------------+-------------------------------------+
| Type                      | Details                             |
+---------------------------+-------------------------------------+
| dependency_file_not_found | {                                   |
|                           |   "message": "No files found in /", |
|                           |   "file-path": null                 |
|                           | }                                   |
+---------------------------+-------------------------------------+

(That's with an action.py.lock file in the repository root.)