Maybe the python part should be skipped, as I see there is something else with https://github.com/web-platform-tests/wpt/blob/master/.pyup.yml that may already do that part

I believe there was a reason we chose not to use dependabot, but I've forgotten what it was. @gsnedders ?

It may be worth keeping the github-actions one, even if the NPM and Python parts aren't wanted

I believe there was a reason we chose not to use dependabot, but I've forgotten what it was. @gsnedders ?

Being able to restrict the versions it updates to; like how we have pillow==6.2.2; python_version <= '2.7' # pyup: <7.0 (which is presumably now redundant).

Yeah, it looks like their filtering is different, and might not support that syntax https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#specifying-dependencies-and-versions-to-ignore

Should I drop the PIP part, but keep the NPM and Actions?

Skipping PIP for now sounds good. Even if we want to do it, it's good to do it separately so it's easier to revert just that if it turns out to not work well.

OK, rebased out the PIP part, and left in the GitHub Actions + NPM updating

So if the concern with dependabot was Python-version-specific pinning, I think we could switch to that now that we're on Py3?

It that was the only issue, then having a single dependency bumper would be great!

let me know if you want to add back Python and/or drop pyup here, or if it's better for you folks to do that in a separate PR

I'll defer to @jgraham on that.

So it looks like Dependabot will also send updates to forks: https://github.com/autofoolip/wpt/pulls.

Judging by dependabot/dependabot-core#2804 it might not affect all forks. Has anyone else gotten a bunch of PRs?